Play interactive tour

Edit tour

Analysis Report Invoice PaymentPDF.vbs

Overview

General Information

Sample Name:	Invoice PaymentPDF.vbs
Analysis ID:	382764
MD5:	3911ee0964b7aa57b411fe3d88d304d6
SHA1:	b6f21d1f4a6f3329e8403038906fc93a7872fcee
SHA256:	ea5784a4389f86bb28ec9ca5fc099b5d4e8791983ce7b66df5c1cf8cb01e5952
Tags:	NanoCoreRATvbs
Infos:
Most interesting Screenshot:

Detection

Nanocore AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Detected Nanocore Rat

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

VBScript performs obfuscated calls to suspicious functions

Yara detected AsyncRAT

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large strings

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Potential malicious VBS script found (has network functionality)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

wscript.exe (PID: 5648 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice PaymentPDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

file.exe (PID: 360 cmdline: 'C:\Users\user~1\AppData\Local\Temp\file.exe' MD5: 76D2BB0F57BBF02E190055FCDB3663DB)

name.exe (PID: 4704 cmdline: 'C:\Users\user~1\AppData\Local\Temp\name.exe' MD5: 50B53CECA7021AD9ABEA4074A634680A)

cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "23.238.217.173", "Ports": "6606,7707,8808", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "rCdLgrV42q0DuDQzYbk2auSrJRoHXPHS", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAJkhHU+BH915hv7LViGwzzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAxMTA3MTkxMTE5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ2Kr4dwEtG7paj+p7bT61qNpAHg0vCScR1TFYJ9AFuPQMEPGEaB7gCf40qGTli8A/ac0EI2vXm8+pKrmu2ae50KltRwInh3rlKQOV3s6p1sGE7cZNc0a8+YjbLtvex6jx7mc+RrPNDX7ztZb5yFXDOxOmXNhcisF7GQLeIXdRp3AzEafDoS0S6N5AJlUCyI3/vHk6FbI8GZtjjj2fvYQKeX/oQyv+KDwx3m7BO6NTaLVCrDBikJZpoajcvmctTlR5u5HgtzIQ6QfZtt3SMPOC7vE4QOwfIS5Y5EJ2H8u5qJ3f7aomyxDUSV8snsvDpXg5Nk6WAOf0Lh10sjWM82Q8wCvaeijVkYMVTJYZXFhkc7C0+c6+19GVNvJlWdbSTeZKCOwCJD2TEiqJfCpeaySqJpvAqMhUj1qL+hX9SNS5uC32FcxVWve/COS1s6piR4GO5GWqErJp5dKDNyxnJWW27pyivcuciKSfj7g4ObXA3ABARzJucyyAV2rAn9N18JwOguGAu3boSDtgvIUYiUAupPK0a7Lf8E+eiLWMsVdX5uXRy2M5Lw/VGJ9EiMbswzfJN05WV5kp1QESUzkIZWMBKmfFJ3JgipR/mSxBXT6+7FQfLWEil3T/1UKE9Rm7Q4k0kcYX/SpzUvgZadwyaI8hbjz3uiaFV9/FSFPrq6qPkxAgMBAAGjMjAwMB0GA1UdDgQWBBTIOzfxNrixzR4oMI+dIEjFy3dMfTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBp13OHOR30C2YvzChrPHZIxlXZWnFJz5nazJy2kvFXCoq+ENu1aTJtpwN0XR0FhLyBhbWDTqoxoxJK33bfPjSn2Vrr44Anpdfjn+wBGfvic8btWTlPE/0g0vYDlv3OmIibf0s7ob/fVNaFiBumJZiPKguGya283ycWRF28JN/mqV7A6r4Py26CtTaGAs36Kzg5hgAxRoXjEMl8PzbYFjRFzteO0OA2Y9p2wp79W+h9JY0rGW/UTQqvUNpV2KfdKf5eGOKv5PHhzcQ56L+RydGaO0BL0WAcy/wvu/rW6+XPDhotNcVbsFGxPdMXUGfbzT5+4ugJv9n95fn3f6EWVitDdt/b1iz55YkbpbHr3YaPT/LVp9qXSHgg0lz9FQsdkssrD2Ete5NdlTOezia4jvxgkb2vdYIWNSURnNJXmH6CPVnrRa4juhjKtXsG0dOdxz5PSRJYmukFy8gl283yeOmDEqSDo9rQ9ywxtcL2IJYHzkmo6vctWnQnUaD8H87zz1YN3f1FbQEXovEDkIB7AiyRG2kfeRNMbEFCd0u1TXajD4z/+4+EGAGYpU7Laqar0PbFAuBe8/SAPfAsYqLdQ5TKIm8f54miRP72ySJ7+4kus25+19LdQmUJM79EKeFw2R6COJRRTvZ4hP3xqwn4yPULDJbU+CBSV9QY1YwU4ziUCQ==", "ServerSignature": "b7cZ72qbdlFxoVfpO/0tHE5xKg0vNw58XJ+PsP/eWucYIkdeP6fnlIwnxnXsvoEWxw3CuGFtcGjY9btemVUwPNMNu2wCsW4Plb9qpUk7TXu6kX0D+z5illmf1+q1/535hHDE0vGVhjFy7mX+LHrPyDC4o+zRjsy970eMY24er5ru4bN4yWrDr/MdoeLABYGFIeJwKEMu0VNjtiNdQ1mbX31uWDuMfJyDpdTZ8aIhxSo7S4Oil7bvpbpmqEPHwd5j3iPK3DdAKhcBAkOfPur2FP3R3iO8bVVWn5noiqU/vsrQq2PCFHvnllFYpYKRTKpla0bxa9WdmRJhAvpgBdUfcQFoIrrDfvO9djA2yTTJxzbDcT3GAdLtvnR9zcaRrrNlSp0NHNrDVjxcSv5bGixB8KKKmt7IKOo/RB6YweBpN+UbKhKo6O5pRaiDohxYS05ncA8UJp+81fMqT6iNNr2vn0CZScqINi1rCy5xoroXMvwnrU/nY+ePB6j8YnZFnspY1LW831Bdz0JLTLeeZrtEOg/6GrfOcQuEQZ+FiqE3xo+cpETksVUvcj/hzGMCnjwtHKe6GM18Li2GfkdTT/6BebbvAFmPvKBdSMkrVS6oVGm3UbEzGo6dqKhHyKqplYvr7/3pThARRvMylERoICs+pf/UWjsfhN52jEBm/FImD6c=", "Group": "NOW"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\name.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\AppData\Local\Temp\name.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Users\user\AppData\Local\Temp\name.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Users\user\AppData\Local\Temp\name.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.492099585.0000000000DA0000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.498075697.0000000005350000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000004.00000002.498075697.0000000005350000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000003.00000002.492732344.0000000002911000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfdfd:$x1: NanoCore.ClientPluginHost 0xfe3a:$x2: IClientNetworkHost 0x1396d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfb65:$a: NanoCore 0xfb75:$a: NanoCore 0xfda9:$a: NanoCore 0xfdbd:$a: NanoCore 0xfdfd:$a: NanoCore 0xfbc4:$b: ClientPlugin 0xfdc6:$b: ClientPlugin 0xfe06:$b: ClientPlugin 0xfceb:$c: ProjectData 0x106f2:$d: DESCrypto 0x180be:$e: KeepAlive 0x160ac:$g: LogClientMessage 0x122a7:$i: get_Connected 0x10a28:$j: #=q 0x10a58:$j: #=q 0x10a74:$j: #=q 0x10aa4:$j: #=q 0x10ac0:$j: #=q 0x10adc:$j: #=q 0x10b0c:$j: #=q 0x10b28:$j: #=q
00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7be1:$a: NanoCore 0x7c3a:$a: NanoCore 0x7c77:$a: NanoCore 0x7cf0:$a: NanoCore 0x1b39b:$a: NanoCore 0x1b3b0:$a: NanoCore 0x1b3e5:$a: NanoCore 0x25249:$a: NanoCore 0x252a2:$a: NanoCore 0x252df:$a: NanoCore 0x25358:$a: NanoCore 0x38a03:$a: NanoCore 0x38a18:$a: NanoCore 0x38a4d:$a: NanoCore 0x46662:$a: NanoCore 0x46687:$a: NanoCore 0x466e0:$a: NanoCore 0x7c43:$b: ClientPlugin 0x7c80:$b: ClientPlugin 0x857e:$b: ClientPlugin 0x858b:$b: ClientPlugin
00000004.00000002.499346217.0000000006090000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000004.00000002.499346217.0000000006090000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000004.00000002.499421831.00000000060B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000004.00000002.499421831.00000000060B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb85d:$x1: NanoCore.ClientPluginHost 0xb89a:$x2: IClientNetworkHost 0x6d9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb3b5:$a: NanoCore 0xb3c5:$a: NanoCore 0xb809:$a: NanoCore 0xb81d:$a: NanoCore 0xb85d:$a: NanoCore 0xb414:$b: ClientPlugin 0xb826:$b: ClientPlugin 0xb866:$b: ClientPlugin 0xb74b:$c: ProjectData 0xc152:$d: DESCrypto 0x1edae:$e: KeepAlive 0x1655c:$g: LogClientMessage 0x56d7:$i: get_Connected 0x50bd:$j: #=q 0x50ed:$j: #=q 0x5109:$j: #=q 0x515a:$j: #=q 0x5176:$j: #=q 0x519e:$j: #=q 0x51ba:$j: #=q 0x51ea:$j: #=q
00000004.00000002.499738147.0000000006130000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000004.00000002.499738147.0000000006130000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1585d:$x1: NanoCore.ClientPluginHost 0x1589a:$x2: IClientNetworkHost 0x10d9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x153b5:$a: NanoCore 0x153c5:$a: NanoCore 0x15809:$a: NanoCore 0x1581d:$a: NanoCore 0x1585d:$a: NanoCore 0x15414:$b: ClientPlugin 0x15826:$b: ClientPlugin 0x15866:$b: ClientPlugin 0x1574b:$c: ProjectData 0x16152:$d: DESCrypto 0x28dae:$e: KeepAlive 0x2055c:$g: LogClientMessage 0xf6d7:$i: get_Connected 0xf0bd:$j: #=q 0xf0ed:$j: #=q 0xf109:$j: #=q 0xf15a:$j: #=q 0xf176:$j: #=q 0xf19e:$j: #=q 0xf1ba:$j: #=q 0xf1ea:$j: #=q
00000004.00000002.496940045.0000000004180000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.499506024.00000000060E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000004.00000002.499506024.00000000060E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb85d:$x1: NanoCore.ClientPluginHost 0xb89a:$x2: IClientNetworkHost 0x6d9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb3b5:$a: NanoCore 0xb3c5:$a: NanoCore 0xb809:$a: NanoCore 0xb81d:$a: NanoCore 0xb85d:$a: NanoCore 0xb414:$b: ClientPlugin 0xb826:$b: ClientPlugin 0xb866:$b: ClientPlugin 0xb74b:$c: ProjectData 0xc152:$d: DESCrypto 0x1edae:$e: KeepAlive 0x1655c:$g: LogClientMessage 0x56d7:$i: get_Connected 0x50bd:$j: #=q 0x50ed:$j: #=q 0x5109:$j: #=q 0x515a:$j: #=q 0x5176:$j: #=q 0x519e:$j: #=q 0x51ba:$j: #=q 0x51ea:$j: #=q
00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1013d:$x1: NanoCore.ClientPluginHost 0x1017a:$x2: IClientNetworkHost 0x13cad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfea5:$a: NanoCore 0xfeb5:$a: NanoCore 0x100e9:$a: NanoCore 0x100fd:$a: NanoCore 0x1013d:$a: NanoCore 0xff04:$b: ClientPlugin 0x10106:$b: ClientPlugin 0x10146:$b: ClientPlugin 0x1002b:$c: ProjectData 0x10a32:$d: DESCrypto 0x183fe:$e: KeepAlive 0x163ec:$g: LogClientMessage 0x125e7:$i: get_Connected 0x10d68:$j: #=q 0x10d98:$j: #=q 0x10db4:$j: #=q 0x10de4:$j: #=q 0x10e00:$j: #=q 0x10e1c:$j: #=q 0x10e4c:$j: #=q 0x10e68:$j: #=q
00000004.00000002.499468188.00000000060D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000004.00000002.499468188.00000000060D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000004.00000002.499649903.0000000006110000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000004.00000002.499649903.0000000006110000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1385d:$x1: NanoCore.ClientPluginHost 0x1389a:$x2: IClientNetworkHost 0xed9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x133b5:$a: NanoCore 0x133c5:$a: NanoCore 0x13809:$a: NanoCore 0x1381d:$a: NanoCore 0x1385d:$a: NanoCore 0x13414:$b: ClientPlugin 0x13826:$b: ClientPlugin 0x13866:$b: ClientPlugin 0x1374b:$c: ProjectData 0x14152:$d: DESCrypto 0x26dae:$e: KeepAlive 0x1e55c:$g: LogClientMessage 0xd6d7:$i: get_Connected 0xd0bd:$j: #=q 0xd0ed:$j: #=q 0xd109:$j: #=q 0xd15a:$j: #=q 0xd176:$j: #=q 0xd19e:$j: #=q 0xd1ba:$j: #=q 0xd1ea:$j: #=q
00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8d6f:$a: NanoCore 0x8dc8:$a: NanoCore 0x8dfb:$a: NanoCore 0x9027:$a: NanoCore 0x90a3:$a: NanoCore 0x96bc:$a: NanoCore 0x9805:$a: NanoCore 0x9cd9:$a: NanoCore 0x9fc0:$a: NanoCore 0x9fd7:$a: NanoCore 0x12ecf:$a: NanoCore 0x12f4b:$a: NanoCore 0x1582e:$a: NanoCore 0x19ff4:$a: NanoCore 0x1a03e:$a: NanoCore 0x1ac98:$a: NanoCore 0x202d5:$a: NanoCore 0x2034f:$a: NanoCore 0x2a93b:$a: NanoCore 0x2aa25:$a: NanoCore 0x2b89c:$a: NanoCore
00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1585d:$x1: NanoCore.ClientPluginHost 0x1589a:$x2: IClientNetworkHost 0x10d9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x153b5:$a: NanoCore 0x153c5:$a: NanoCore 0x15809:$a: NanoCore 0x1581d:$a: NanoCore 0x1585d:$a: NanoCore 0x15414:$b: ClientPlugin 0x15826:$b: ClientPlugin 0x15866:$b: ClientPlugin 0x1574b:$c: ProjectData 0x16152:$d: DESCrypto 0x28dae:$e: KeepAlive 0x2055c:$g: LogClientMessage 0xf6d7:$i: get_Connected 0xf0bd:$j: #=q 0xf0ed:$j: #=q 0xf109:$j: #=q 0xf15a:$j: #=q 0xf176:$j: #=q 0xf19e:$j: #=q 0xf1ba:$j: #=q 0xf1ea:$j: #=q
00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.499439441.00000000060C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000004.00000002.499439441.00000000060C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000004.00000002.494696991.0000000003173000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3a56e:$a: NanoCore 0x3a593:$a: NanoCore 0x3a5ec:$a: NanoCore 0x4a7cb:$a: NanoCore 0x4a7f1:$a: NanoCore 0x4a84d:$a: NanoCore 0x576df:$a: NanoCore 0x57738:$a: NanoCore 0x5776b:$a: NanoCore 0x57997:$a: NanoCore 0x57a13:$a: NanoCore 0x5802c:$a: NanoCore 0x58175:$a: NanoCore 0x58649:$a: NanoCore 0x58930:$a: NanoCore 0x58947:$a: NanoCore 0x61823:$a: NanoCore 0x6189f:$a: NanoCore 0x64182:$a: NanoCore 0x6892c:$a: NanoCore 0x68976:$a: NanoCore
00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1185d:$x1: NanoCore.ClientPluginHost 0x1189a:$x2: IClientNetworkHost 0xcd9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x113b5:$a: NanoCore 0x113c5:$a: NanoCore 0x11809:$a: NanoCore 0x1181d:$a: NanoCore 0x1185d:$a: NanoCore 0x11414:$b: ClientPlugin 0x11826:$b: ClientPlugin 0x11866:$b: ClientPlugin 0x1174b:$c: ProjectData 0x12152:$d: DESCrypto 0x24dae:$e: KeepAlive 0x1c55c:$g: LogClientMessage 0xb6d7:$i: get_Connected 0xb0bd:$j: #=q 0xb0ed:$j: #=q 0xb109:$j: #=q 0xb15a:$j: #=q 0xb176:$j: #=q 0xb19e:$j: #=q 0xb1ba:$j: #=q 0xb1ea:$j: #=q
00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9726d:$x1: NanoCore.ClientPluginHost 0x972aa:$x2: IClientNetworkHost 0x9addd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x96fd5:$a: NanoCore 0x96fe5:$a: NanoCore 0x97219:$a: NanoCore 0x9722d:$a: NanoCore 0x9726d:$a: NanoCore 0x97034:$b: ClientPlugin 0x97236:$b: ClientPlugin 0x97276:$b: ClientPlugin 0x9715b:$c: ProjectData 0x97b62:$d: DESCrypto 0x9f52e:$e: KeepAlive 0x9d51c:$g: LogClientMessage 0x99717:$i: get_Connected 0x97e98:$j: #=q 0x97ec8:$j: #=q 0x97ee4:$j: #=q 0x97f14:$j: #=q 0x97f30:$j: #=q 0x97f4c:$j: #=q 0x97f7c:$j: #=q 0x97f98:$j: #=q
00000004.00000002.498013207.0000000005320000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000004.00000002.498013207.0000000005320000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000004.00000002.497731455.000000000455A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.497731455.000000000455A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a61:$a: NanoCore 0x1aba:$a: NanoCore 0x1af7:$a: NanoCore 0x1b70:$a: NanoCore 0x1521b:$a: NanoCore 0x15230:$a: NanoCore 0x15265:$a: NanoCore 0x1ac3:$b: ClientPlugin 0x1b00:$b: ClientPlugin 0x23fe:$b: ClientPlugin 0x240b:$b: ClientPlugin 0x14fd7:$b: ClientPlugin 0x14ff2:$b: ClientPlugin 0x15022:$b: ClientPlugin 0x15239:$b: ClientPlugin 0x1526e:$b: ClientPlugin 0x1514f:$c: ProjectData 0x1f4b:$g: LogClientMessage 0x1ecb:$i: get_Connected 0x15a9e:$j: #=q 0x15ace:$j: #=q
00000004.00000002.499285834.0000000006070000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000004.00000002.499285834.0000000006070000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb85d:$x1: NanoCore.ClientPluginHost 0xb89a:$x2: IClientNetworkHost 0x6d9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb3b5:$a: NanoCore 0xb3c5:$a: NanoCore 0xb809:$a: NanoCore 0xb81d:$a: NanoCore 0xb85d:$a: NanoCore 0xb414:$b: ClientPlugin 0xb826:$b: ClientPlugin 0xb866:$b: ClientPlugin 0xb74b:$c: ProjectData 0xc152:$d: DESCrypto 0x1edae:$e: KeepAlive 0x1655c:$g: LogClientMessage 0x56d7:$i: get_Connected 0x50bd:$j: #=q 0x50ed:$j: #=q 0x5109:$j: #=q 0x515a:$j: #=q 0x5176:$j: #=q 0x519e:$j: #=q 0x51ba:$j: #=q 0x51ea:$j: #=q
00000004.00000002.499244411.0000000006050000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000004.00000002.499244411.0000000006050000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000004.00000002.499588089.0000000006100000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000004.00000002.499588089.0000000006100000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000004.00000002.499782274.0000000006160000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000004.00000002.499782274.0000000006160000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000004.00000002.497341701.00000000042F7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb3f6f:$a: NanoCore 0xb3f94:$a: NanoCore 0xb3fed:$a: NanoCore 0xc418c:$a: NanoCore 0xc41b2:$a: NanoCore 0xc420e:$a: NanoCore 0xd1065:$a: NanoCore 0xd10be:$a: NanoCore 0xd10f1:$a: NanoCore 0xd131d:$a: NanoCore 0xd1399:$a: NanoCore 0xd19b2:$a: NanoCore 0xd1afb:$a: NanoCore 0xd1fcf:$a: NanoCore 0xd22b6:$a: NanoCore 0xd22cd:$a: NanoCore 0xdb171:$a: NanoCore 0xdb1ed:$a: NanoCore 0xddad0:$a: NanoCore 0xe0e82:$a: NanoCore 0xe223e:$a: NanoCore
Process Memory Space: file.exe PID: 360	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: wscript.exe PID: 5648	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1026f0:$x1: NanoCore.ClientPluginHost 0x1bd56f:$x1: NanoCore.ClientPluginHost 0x21f404:$x1: NanoCore.ClientPluginHost 0x2b0ce3:$x1: NanoCore.ClientPluginHost 0x3d9743:$x1: NanoCore.ClientPluginHost 0x5f724f:$x1: NanoCore.ClientPluginHost 0x644fec:$x1: NanoCore.ClientPluginHost 0x10275a:$x2: IClientNetworkHost 0x1bd5d9:$x2: IClientNetworkHost 0x21f46e:$x2: IClientNetworkHost 0x2b0d4d:$x2: IClientNetworkHost 0x3d97ad:$x2: IClientNetworkHost 0x5f72b9:$x2: IClientNetworkHost 0x645056:$x2: IClientNetworkHost 0x1081a4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x116cd1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ba814:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1bc85c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x21c6a9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x21e6f1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2b6797:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: wscript.exe PID: 5648	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: wscript.exe PID: 5648	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x102183:$a: NanoCore 0x1021a2:$a: NanoCore 0x102324:$a: NanoCore 0x102333:$a: NanoCore 0x102642:$a: NanoCore 0x102674:$a: NanoCore 0x1026f0:$a: NanoCore 0x11333b:$a: NanoCore 0x11334d:$a: NanoCore 0x113389:$a: NanoCore 0x1bcfdc:$a: NanoCore 0x1bcffb:$a: NanoCore 0x1bd17d:$a: NanoCore 0x1bd18c:$a: NanoCore 0x1bd4c1:$a: NanoCore 0x1bd4f3:$a: NanoCore 0x1bd56f:$a: NanoCore 0x1c07c5:$a: NanoCore 0x1c07d7:$a: NanoCore 0x1c0813:$a: NanoCore 0x21ee71:$a: NanoCore
Process Memory Space: name.exe PID: 4704	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4c1e6:$x1: NanoCore.ClientPluginHost 0xbeb01:$x1: NanoCore.ClientPluginHost 0x12ac9e:$x1: NanoCore.ClientPluginHost 0x13085d:$x1: NanoCore.ClientPluginHost 0x13d884:$x1: NanoCore.ClientPluginHost 0x143443:$x1: NanoCore.ClientPluginHost 0x151110:$x1: NanoCore.ClientPluginHost 0x16e6a2:$x1: NanoCore.ClientPluginHost 0x191d13:$x1: NanoCore.ClientPluginHost 0x1c2d93:$x1: NanoCore.ClientPluginHost 0x25fb4a:$x1: NanoCore.ClientPluginHost 0x2c5ec0:$x1: NanoCore.ClientPluginHost 0x2c8f11:$x1: NanoCore.ClientPluginHost 0x2cdf4a:$x1: NanoCore.ClientPluginHost 0x2d02b2:$x1: NanoCore.ClientPluginHost 0x2d4305:$x1: NanoCore.ClientPluginHost 0x2db4bb:$x1: NanoCore.ClientPluginHost 0x2e0316:$x1: NanoCore.ClientPluginHost 0x2ecaf2:$x1: NanoCore.ClientPluginHost 0x2f3c1a:$x1: NanoCore.ClientPluginHost 0x2ff2b8:$x1: NanoCore.ClientPluginHost
Process Memory Space: name.exe PID: 4704	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: name.exe PID: 4704	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4bceb:$a: NanoCore 0x4bd07:$a: NanoCore 0x4be62:$a: NanoCore 0x4be71:$a: NanoCore 0x4c14a:$a: NanoCore 0x4c176:$a: NanoCore 0x4c1e6:$a: NanoCore 0x5bc28:$a: NanoCore 0x5bc3a:$a: NanoCore 0x5bc76:$a: NanoCore 0xbe9f3:$a: NanoCore 0xbea94:$a: NanoCore 0xbeb01:$a: NanoCore 0xbebc2:$a: NanoCore 0xbfa93:$a: NanoCore 0xbfae6:$a: NanoCore 0xbfb1f:$a: NanoCore 0xbfb92:$a: NanoCore 0x12ab90:$a: NanoCore 0x12ac31:$a: NanoCore 0x12ac9e:$a: NanoCore
Click to see the 77 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.name.exe.31a89d8.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
4.2.name.exe.31a89d8.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
4.2.name.exe.455fab8.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
4.2.name.exe.455fab8.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
4.2.name.exe.455fab8.19.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.32dc3c4.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x9230:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
4.2.name.exe.32dc3c4.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x9230:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x930e:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost 0x924a:$s5: IClientLoggingHost
0.3.wscript.exe.28c2f7dcc70.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wscript.exe.28c2f7dcc70.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.wscript.exe.28c2f7dcc70.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wscript.exe.28c2f7dcc70.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.name.exe.60c0000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
4.2.name.exe.60c0000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
4.2.name.exe.6050000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
4.2.name.exe.6050000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
4.2.name.exe.455fab8.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.name.exe.455fab8.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.name.exe.455fab8.19.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.6100000.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
4.2.name.exe.6100000.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
4.2.name.exe.613e8a4.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
4.2.name.exe.613e8a4.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
0.3.wscript.exe.28c2f7cbaf0.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1fa7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.name.exe.5320000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
4.2.name.exe.5320000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
4.2.name.exe.53f0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.name.exe.53f0000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.name.exe.53f0000.23.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.45640e1.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
4.2.name.exe.45640e1.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
4.2.name.exe.45640e1.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.5320000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
4.2.name.exe.5320000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
4.2.name.exe.53f0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
4.2.name.exe.53f0000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
4.2.name.exe.53f0000.23.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.file.exe.2912938.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.name.exe.4127e02.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x1e4dd:$x1: NanoCore.ClientPluginHost 0x31c4b:$x1: NanoCore.ClientPluginHost 0x3f885:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x1e4f7:$x2: IClientNetworkHost 0x31c78:$x2: IClientNetworkHost 0x3f8af:$x2: IClientNetworkHost
4.2.name.exe.4127e02.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x1e4dd:$x2: NanoCore.ClientPluginHost 0x31c4b:$x2: NanoCore.ClientPluginHost 0x3f885:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1e8c9:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x1e79e:$s4: PipeCreated 0x32d26:$s4: PipeCreated 0x41735:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x1e518:$s5: IClientLoggingHost 0x31c65:$s5: IClientLoggingHost
4.2.name.exe.4127e02.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.4127e02.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x1e447:$a: NanoCore 0x1e4a0:$a: NanoCore 0x1e4dd:$a: NanoCore 0x1e556:$a: NanoCore 0x31c01:$a: NanoCore 0x31c16:$a: NanoCore 0x31c4b:$a: NanoCore 0x3f860:$a: NanoCore 0x3f885:$a: NanoCore 0x3f8de:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin
4.0.name.exe.870000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.name.exe.870000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.0.name.exe.870000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.name.exe.870000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.name.exe.6100000.33.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
4.2.name.exe.6100000.33.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
4.2.name.exe.32e7c4c.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost 0x7689:$x1: NanoCore.ClientPluginHost 0x11cef:$x1: NanoCore.ClientPluginHost 0x1c173:$x1: NanoCore.ClientPluginHost 0x271ad:$x1: NanoCore.ClientPluginHost 0x32fab:$x1: NanoCore.ClientPluginHost 0x3ed9e:$x1: NanoCore.ClientPluginHost 0x490c7:$x1: NanoCore.ClientPluginHost 0x4dee7:$x1: NanoCore.ClientPluginHost 0x76c2:$x2: IClientNetworkHost 0x11e4c:$x2: IClientNetworkHost 0x1c1ac:$x2: IClientNetworkHost 0x271c7:$x2: IClientNetworkHost 0x32fc5:$x2: IClientNetworkHost 0x3eddb:$x2: IClientNetworkHost 0x490e1:$x2: IClientNetworkHost 0x4df01:$x2: IClientNetworkHost
4.2.name.exe.32e7c4c.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x7689:$x2: NanoCore.ClientPluginHost 0x11cef:$x2: NanoCore.ClientPluginHost 0x1c173:$x2: NanoCore.ClientPluginHost 0x271ad:$x2: NanoCore.ClientPluginHost 0x32fab:$x2: NanoCore.ClientPluginHost 0x3ed9e:$x2: NanoCore.ClientPluginHost 0x490c7:$x2: NanoCore.ClientPluginHost 0x4dee7:$x2: NanoCore.ClientPluginHost 0x12c45:$s3: PipeExists 0x494b3:$s3: PipeExists 0x4e2d3:$s3: PipeExists 0x1486:$s4: PipeCreated 0x77a4:$s4: PipeCreated 0x11ee5:$s4: PipeCreated 0x1c2be:$s4: PipeCreated 0x281e2:$s4: PipeCreated 0x34d56:$s4: PipeCreated 0x421f1:$s4: PipeCreated 0x49388:$s4: PipeCreated 0x4e1a8:$s4: PipeCreated
4.2.name.exe.32e7c4c.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13a8:$a: NanoCore 0x13f2:$a: NanoCore 0x204c:$a: NanoCore 0x7689:$a: NanoCore 0x7703:$a: NanoCore 0x11cef:$a: NanoCore 0x11dd9:$a: NanoCore 0x12c50:$a: NanoCore 0x1be53:$a: NanoCore 0x1beb4:$a: NanoCore 0x1bef7:$a: NanoCore 0x1bf37:$a: NanoCore 0x1c173:$a: NanoCore 0x1c213:$a: NanoCore 0x1c9eb:$a: NanoCore 0x1cfde:$a: NanoCore 0x1d12f:$a: NanoCore 0x1df89:$a: NanoCore 0x1e1f0:$a: NanoCore 0x1e205:$a: NanoCore 0x1e224:$a: NanoCore
4.2.name.exe.6130000.37.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
4.2.name.exe.6130000.37.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
4.2.name.exe.60b0000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
4.2.name.exe.60b0000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
0.3.wscript.exe.28c2f7cbaf0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1fa7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.name.exe.6160000.38.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
4.2.name.exe.6160000.38.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
4.2.name.exe.60d0000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
4.2.name.exe.60d0000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
0.3.wscript.exe.28c2f7dcc70.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wscript.exe.28c2f7dcc70.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.wscript.exe.28c2f7dcc70.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wscript.exe.28c2f7dcc70.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.wscript.exe.28c2fc970e0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wscript.exe.28c2fc970e0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.wscript.exe.28c2fc970e0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wscript.exe.28c2fc970e0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.name.exe.60e0000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
4.2.name.exe.60e0000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
4.2.name.exe.60d0000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
4.2.name.exe.60d0000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
4.2.name.exe.32d6944.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb58b:$x1: NanoCore.ClientPluginHost 0x126b0:$x1: NanoCore.ClientPluginHost 0x18991:$x1: NanoCore.ClientPluginHost 0x22ff7:$x1: NanoCore.ClientPluginHost 0x2d47b:$x1: NanoCore.ClientPluginHost 0x384b5:$x1: NanoCore.ClientPluginHost 0x442b3:$x1: NanoCore.ClientPluginHost 0x500a6:$x1: NanoCore.ClientPluginHost 0x5a3cf:$x1: NanoCore.ClientPluginHost 0x5f1ef:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5c4:$x2: IClientNetworkHost 0x189ca:$x2: IClientNetworkHost 0x23154:$x2: IClientNetworkHost 0x2d4b4:$x2: IClientNetworkHost 0x384cf:$x2: IClientNetworkHost 0x442cd:$x2: IClientNetworkHost 0x500e3:$x2: IClientNetworkHost 0x5a3e9:$x2: IClientNetworkHost 0x5f209:$x2: IClientNetworkHost
4.2.name.exe.32d6944.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb58b:$x2: NanoCore.ClientPluginHost 0x126b0:$x2: NanoCore.ClientPluginHost 0x18991:$x2: NanoCore.ClientPluginHost 0x22ff7:$x2: NanoCore.ClientPluginHost 0x2d47b:$x2: NanoCore.ClientPluginHost 0x384b5:$x2: NanoCore.ClientPluginHost 0x442b3:$x2: NanoCore.ClientPluginHost 0x500a6:$x2: NanoCore.ClientPluginHost 0x5a3cf:$x2: NanoCore.ClientPluginHost 0x5f1ef:$x2: NanoCore.ClientPluginHost 0x23f4d:$s3: PipeExists 0x5a7bb:$s3: PipeExists 0x5f5db:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb68f:$s4: PipeCreated 0x1278e:$s4: PipeCreated 0x18aac:$s4: PipeCreated 0x231ed:$s4: PipeCreated 0x2d5c6:$s4: PipeCreated 0x394ea:$s4: PipeCreated
4.2.name.exe.32d6944.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb58b:$a: NanoCore 0xb607:$a: NanoCore 0xdeea:$a: NanoCore 0x126b0:$a: NanoCore 0x126fa:$a: NanoCore 0x13354:$a: NanoCore 0x18991:$a: NanoCore 0x18a0b:$a: NanoCore 0x22ff7:$a: NanoCore 0x230e1:$a: NanoCore 0x23f58:$a: NanoCore
4.2.name.exe.43a63d9.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
4.2.name.exe.43a63d9.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
0.3.wscript.exe.28c2f7cbaf0.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1fa7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.name.exe.6050000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
4.2.name.exe.6050000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
4.2.name.exe.4186ef8.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
4.2.name.exe.4186ef8.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
4.2.name.exe.4186ef8.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.60c0000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
4.2.name.exe.60c0000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
4.2.name.exe.43b260d.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
4.2.name.exe.43b260d.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
4.2.name.exe.412cc38.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x196a7:$x1: NanoCore.ClientPluginHost 0x2ce15:$x1: NanoCore.ClientPluginHost 0x3aa4f:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x196c1:$x2: IClientNetworkHost 0x2ce42:$x2: IClientNetworkHost 0x3aa79:$x2: IClientNetworkHost
4.2.name.exe.412cc38.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x196a7:$x2: NanoCore.ClientPluginHost 0x2ce15:$x2: NanoCore.ClientPluginHost 0x3aa4f:$x2: NanoCore.ClientPluginHost 0x19a93:$s3: PipeExists 0x10888:$s4: PipeCreated 0x19968:$s4: PipeCreated 0x2def0:$s4: PipeCreated 0x3c8ff:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x196e2:$s5: IClientLoggingHost 0x2ce2f:$s5: IClientLoggingHost
4.2.name.exe.412cc38.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.412cc38.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x19611:$a: NanoCore 0x1966a:$a: NanoCore 0x196a7:$a: NanoCore 0x19720:$a: NanoCore 0x2cdcb:$a: NanoCore 0x2cde0:$a: NanoCore 0x2ce15:$a: NanoCore 0x3aa2a:$a: NanoCore 0x3aa4f:$a: NanoCore 0x3aaa8:$a: NanoCore 0xf51f:$b: ClientPlugin 0xf53a:$b: ClientPlugin 0xf56a:$b: ClientPlugin 0xf781:$b: ClientPlugin 0xf7b6:$b: ClientPlugin 0x19673:$b: ClientPlugin 0x196b0:$b: ClientPlugin 0x19fae:$b: ClientPlugin
4.2.name.exe.6134c9f.36.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
4.2.name.exe.6134c9f.36.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
4.2.name.exe.60e0000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
4.2.name.exe.60e0000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
4.2.name.exe.31a89d8.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e19:$x1: NanoCore.ClientPluginHost 0x21fbf:$x1: NanoCore.ClientPluginHost 0x2be4b:$x1: NanoCore.ClientPluginHost 0x32f54:$x1: NanoCore.ClientPluginHost 0x39219:$x1: NanoCore.ClientPluginHost 0x43863:$x1: NanoCore.ClientPluginHost 0x4dccb:$x1: NanoCore.ClientPluginHost 0x58ce9:$x1: NanoCore.ClientPluginHost 0x64acb:$x1: NanoCore.ClientPluginHost 0x70886:$x1: NanoCore.ClientPluginHost 0x7a527:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e46:$x2: IClientNetworkHost 0x21ff8:$x2: IClientNetworkHost 0x2be84:$x2: IClientNetworkHost 0x39252:$x2: IClientNetworkHost 0x439c0:$x2: IClientNetworkHost 0x4dd04:$x2: IClientNetworkHost 0x58d03:$x2: IClientNetworkHost 0x64ae5:$x2: IClientNetworkHost
4.2.name.exe.31a89d8.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e19:$x2: NanoCore.ClientPluginHost 0x21fbf:$x2: NanoCore.ClientPluginHost 0x2be4b:$x2: NanoCore.ClientPluginHost 0x32f54:$x2: NanoCore.ClientPluginHost 0x39219:$x2: NanoCore.ClientPluginHost 0x43863:$x2: NanoCore.ClientPluginHost 0x4dccb:$x2: NanoCore.ClientPluginHost 0x58ce9:$x2: NanoCore.ClientPluginHost 0x64acb:$x2: NanoCore.ClientPluginHost 0x70886:$x2: NanoCore.ClientPluginHost 0x7a527:$x2: NanoCore.ClientPluginHost 0x15de8:$s2: FileCommand 0x447b9:$s3: PipeExists 0x7a913:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a7ea:$s4: PipeCreated 0x220dc:$s4: PipeCreated 0x2bf4f:$s4: PipeCreated 0x33032:$s4: PipeCreated 0x39334:$s4: PipeCreated
4.2.name.exe.31a89d8.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14df3:$a: NanoCore 0x14e19:$a: NanoCore 0x14e75:$a: NanoCore 0x21d07:$a: NanoCore 0x21d60:$a: NanoCore 0x21d93:$a: NanoCore 0x21fbf:$a: NanoCore 0x2203b:$a: NanoCore 0x22654:$a: NanoCore 0x2279d:$a: NanoCore 0x22c71:$a: NanoCore 0x22f58:$a: NanoCore 0x22f6f:$a: NanoCore 0x2be4b:$a: NanoCore 0x2bec7:$a: NanoCore 0x2e7aa:$a: NanoCore 0x32f54:$a: NanoCore 0x32f9e:$a: NanoCore
0.3.wscript.exe.28c2f7dcc70.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wscript.exe.28c2f7dcc70.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.wscript.exe.28c2f7dcc70.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wscript.exe.28c2f7dcc70.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.name.exe.4131261.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x1507e:$x1: NanoCore.ClientPluginHost 0x287ec:$x1: NanoCore.ClientPluginHost 0x36426:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x15098:$x2: IClientNetworkHost 0x28819:$x2: IClientNetworkHost 0x36450:$x2: IClientNetworkHost
4.2.name.exe.4131261.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x1507e:$x2: NanoCore.ClientPluginHost 0x287ec:$x2: NanoCore.ClientPluginHost 0x36426:$x2: NanoCore.ClientPluginHost 0x1546a:$s3: PipeExists 0xc25f:$s4: PipeCreated 0x1533f:$s4: PipeCreated 0x298c7:$s4: PipeCreated 0x382d6:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x150b9:$s5: IClientLoggingHost 0x28806:$s5: IClientLoggingHost
4.2.name.exe.4131261.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.4131261.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x14fe8:$a: NanoCore 0x15041:$a: NanoCore 0x1507e:$a: NanoCore 0x150f7:$a: NanoCore 0x287a2:$a: NanoCore 0x287b7:$a: NanoCore 0x287ec:$a: NanoCore 0x36401:$a: NanoCore 0x36426:$a: NanoCore 0x3647f:$a: NanoCore 0xaef6:$b: ClientPlugin 0xaf11:$b: ClientPlugin 0xaf41:$b: ClientPlugin 0xb158:$b: ClientPlugin 0xb18d:$b: ClientPlugin 0x1504a:$b: ClientPlugin 0x15087:$b: ClientPlugin 0x15985:$b: ClientPlugin
4.2.name.exe.32dc3c4.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0xcc30:$x1: NanoCore.ClientPluginHost 0x12f11:$x1: NanoCore.ClientPluginHost 0x1d577:$x1: NanoCore.ClientPluginHost 0x279fb:$x1: NanoCore.ClientPluginHost 0x32a35:$x1: NanoCore.ClientPluginHost 0x3e833:$x1: NanoCore.ClientPluginHost 0x4a626:$x1: NanoCore.ClientPluginHost 0x5494f:$x1: NanoCore.ClientPluginHost 0x5976f:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost 0x12f4a:$x2: IClientNetworkHost 0x1d6d4:$x2: IClientNetworkHost 0x27a34:$x2: IClientNetworkHost 0x32a4f:$x2: IClientNetworkHost 0x3e84d:$x2: IClientNetworkHost 0x4a663:$x2: IClientNetworkHost 0x54969:$x2: IClientNetworkHost 0x59789:$x2: IClientNetworkHost
4.2.name.exe.32dc3c4.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0xcc30:$x2: NanoCore.ClientPluginHost 0x12f11:$x2: NanoCore.ClientPluginHost 0x1d577:$x2: NanoCore.ClientPluginHost 0x279fb:$x2: NanoCore.ClientPluginHost 0x32a35:$x2: NanoCore.ClientPluginHost 0x3e833:$x2: NanoCore.ClientPluginHost 0x4a626:$x2: NanoCore.ClientPluginHost 0x5494f:$x2: NanoCore.ClientPluginHost 0x5976f:$x2: NanoCore.ClientPluginHost 0x1e4cd:$s3: PipeExists 0x54d3b:$s3: PipeExists 0x59b5b:$s3: PipeExists 0x5c0f:$s4: PipeCreated 0xcd0e:$s4: PipeCreated 0x1302c:$s4: PipeCreated 0x1d76d:$s4: PipeCreated 0x27b46:$s4: PipeCreated 0x33a6a:$s4: PipeCreated 0x405de:$s4: PipeCreated 0x4da79:$s4: PipeCreated
3.2.file.exe.da0000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.3.wscript.exe.28c2f7dcc70.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wscript.exe.28c2f7dcc70.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.wscript.exe.28c2f7dcc70.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wscript.exe.28c2f7dcc70.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.name.exe.6110000.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
4.2.name.exe.6110000.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
4.2.name.exe.32dc3c4.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5b0b:$a: NanoCore 0x5b87:$a: NanoCore 0x846a:$a: NanoCore 0xcc30:$a: NanoCore 0xcc7a:$a: NanoCore 0xd8d4:$a: NanoCore 0x12f11:$a: NanoCore 0x12f8b:$a: NanoCore 0x1d577:$a: NanoCore 0x1d661:$a: NanoCore 0x1e4d8:$a: NanoCore 0x276db:$a: NanoCore 0x2773c:$a: NanoCore 0x2777f:$a: NanoCore 0x277bf:$a: NanoCore 0x279fb:$a: NanoCore 0x27a9b:$a: NanoCore 0x28273:$a: NanoCore 0x28866:$a: NanoCore 0x289b7:$a: NanoCore 0x29811:$a: NanoCore
4.2.name.exe.412cc38.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.name.exe.32e7c4c.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3889:$x1: NanoCore.ClientPluginHost 0x38c2:$x2: IClientNetworkHost
4.2.name.exe.412cc38.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.name.exe.32e7c4c.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3889:$x2: NanoCore.ClientPluginHost 0x39a4:$s4: PipeCreated 0x38a3:$s5: IClientLoggingHost
4.2.name.exe.412cc38.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.6130000.37.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
4.2.name.exe.6130000.37.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
4.2.name.exe.6160000.38.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
4.2.name.exe.6160000.38.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
4.2.name.exe.53f4629.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
4.2.name.exe.53f4629.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
4.2.name.exe.53f4629.24.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.5350000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.name.exe.5350000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.name.exe.6070000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
4.2.name.exe.6070000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
3.2.file.exe.da0000.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.name.exe.31b4c4c.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
4.2.name.exe.31b4c4c.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
4.2.name.exe.4186ef8.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.name.exe.4186ef8.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.name.exe.4186ef8.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wscript.exe.28c2f7cbaf0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1fa7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.name.exe.6110000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
4.2.name.exe.6110000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
4.2.name.exe.6090000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
4.2.name.exe.6090000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
4.2.name.exe.31c92b4.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb56f:$x1: NanoCore.ClientPluginHost 0x12678:$x1: NanoCore.ClientPluginHost 0x1893d:$x1: NanoCore.ClientPluginHost 0x22f87:$x1: NanoCore.ClientPluginHost 0x2d3ef:$x1: NanoCore.ClientPluginHost 0x3840d:$x1: NanoCore.ClientPluginHost 0x441ef:$x1: NanoCore.ClientPluginHost 0x4ffaa:$x1: NanoCore.ClientPluginHost 0x59c4b:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5a8:$x2: IClientNetworkHost 0x18976:$x2: IClientNetworkHost 0x230e4:$x2: IClientNetworkHost 0x2d428:$x2: IClientNetworkHost 0x38427:$x2: IClientNetworkHost 0x44209:$x2: IClientNetworkHost 0x4ffe7:$x2: IClientNetworkHost 0x59c65:$x2: IClientNetworkHost
4.2.name.exe.31c92b4.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb56f:$x2: NanoCore.ClientPluginHost 0x12678:$x2: NanoCore.ClientPluginHost 0x1893d:$x2: NanoCore.ClientPluginHost 0x22f87:$x2: NanoCore.ClientPluginHost 0x2d3ef:$x2: NanoCore.ClientPluginHost 0x3840d:$x2: NanoCore.ClientPluginHost 0x441ef:$x2: NanoCore.ClientPluginHost 0x4ffaa:$x2: NanoCore.ClientPluginHost 0x59c4b:$x2: NanoCore.ClientPluginHost 0x23edd:$s3: PipeExists 0x5a037:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb673:$s4: PipeCreated 0x12756:$s4: PipeCreated 0x18a58:$s4: PipeCreated 0x2317d:$s4: PipeCreated 0x2d53a:$s4: PipeCreated 0x39442:$s4: PipeCreated 0x45f9a:$s4: PipeCreated 0x533fd:$s4: PipeCreated
4.2.name.exe.31c92b4.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb56f:$a: NanoCore 0xb5eb:$a: NanoCore 0xdece:$a: NanoCore 0x12678:$a: NanoCore 0x126c2:$a: NanoCore 0x1331c:$a: NanoCore 0x1893d:$a: NanoCore 0x189b7:$a: NanoCore 0x22f87:$a: NanoCore 0x23071:$a: NanoCore 0x23ee8:$a: NanoCore
4.2.name.exe.6090000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
4.2.name.exe.6090000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
0.3.wscript.exe.28c2f7cbaf0.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1fa7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.name.exe.418b521.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
4.2.name.exe.418b521.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
4.2.name.exe.418b521.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.455ac82.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost
4.2.name.exe.455ac82.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost
4.2.name.exe.455ac82.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.455ac82.17.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x144cd:$c: ProjectData 0x12c9:$g: LogClientMessage 0x1249:$i: get_Connected 0x14e1c:$j: #=q 0x14e4c:$j: #=q
4.2.name.exe.870000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.name.exe.870000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.name.exe.870000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.name.exe.870000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.wscript.exe.28c2f7cbaf0.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1fa7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wscript.exe.28c2fc970e0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wscript.exe.28c2fc970e0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.wscript.exe.28c2fc970e0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wscript.exe.28c2fc970e0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.2.file.exe.2912938.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.name.exe.31b4c4c.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d4b:$x1: NanoCore.ClientPluginHost 0x1fbd7:$x1: NanoCore.ClientPluginHost 0x26ce0:$x1: NanoCore.ClientPluginHost 0x2cfa5:$x1: NanoCore.ClientPluginHost 0x375ef:$x1: NanoCore.ClientPluginHost 0x41a57:$x1: NanoCore.ClientPluginHost 0x4ca75:$x1: NanoCore.ClientPluginHost 0x58857:$x1: NanoCore.ClientPluginHost 0x64612:$x1: NanoCore.ClientPluginHost 0x6e2b3:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d84:$x2: IClientNetworkHost 0x1fc10:$x2: IClientNetworkHost 0x2cfde:$x2: IClientNetworkHost 0x3774c:$x2: IClientNetworkHost 0x41a90:$x2: IClientNetworkHost 0x4ca8f:$x2: IClientNetworkHost 0x58871:$x2: IClientNetworkHost 0x6464f:$x2: IClientNetworkHost 0x6e2cd:$x2: IClientNetworkHost
4.2.name.exe.31b4c4c.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d4b:$x2: NanoCore.ClientPluginHost 0x1fbd7:$x2: NanoCore.ClientPluginHost 0x26ce0:$x2: NanoCore.ClientPluginHost 0x2cfa5:$x2: NanoCore.ClientPluginHost 0x375ef:$x2: NanoCore.ClientPluginHost 0x41a57:$x2: NanoCore.ClientPluginHost 0x4ca75:$x2: NanoCore.ClientPluginHost 0x58857:$x2: NanoCore.ClientPluginHost 0x64612:$x2: NanoCore.ClientPluginHost 0x6e2b3:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x38545:$s3: PipeExists 0x6e69f:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e68:$s4: PipeCreated 0x1fcdb:$s4: PipeCreated 0x26dbe:$s4: PipeCreated 0x2d0c0:$s4: PipeCreated 0x377e5:$s4: PipeCreated 0x41ba2:$s4: PipeCreated
4.2.name.exe.31b4c4c.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a93:$a: NanoCore 0x15aec:$a: NanoCore 0x15b1f:$a: NanoCore 0x15d4b:$a: NanoCore 0x15dc7:$a: NanoCore 0x163e0:$a: NanoCore 0x16529:$a: NanoCore 0x169fd:$a: NanoCore 0x16ce4:$a: NanoCore 0x16cfb:$a: NanoCore 0x1fbd7:$a: NanoCore 0x1fc53:$a: NanoCore 0x22536:$a: NanoCore 0x26ce0:$a: NanoCore 0x26d2a:$a: NanoCore 0x27984:$a: NanoCore 0x2cfa5:$a: NanoCore 0x2d01f:$a: NanoCore
4.2.name.exe.43a63d9.15.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x31aa9:$a: NanoCore 0x32e65:$a: NanoCore
4.2.name.exe.3131398.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.name.exe.3131398.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.name.exe.43c6c3a.14.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x11248:$a: NanoCore 0x12604:$a: NanoCore 0x1264e:$a: NanoCore 0x132a8:$a: NanoCore 0x1888f:$a: NanoCore 0x18909:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
4.2.name.exe.43b260d.16.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x25875:$a: NanoCore 0x26c31:$a: NanoCore 0x26c7b:$a: NanoCore 0x278d5:$a: NanoCore 0x2cebc:$a: NanoCore
Click to see the 168 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\name.exe, ProcessId: 4704, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\name.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Found malware configuration

Show sources

Source: 00000003.00000002.492099585.0000000000DA0000.00000004.00000001.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "23.238.217.173", "Ports": "6606,7707,8808", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "rCdLgrV42q0DuDQzYbk2auSrJRoHXPHS", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAJkhHU+BH915hv7LViGwzzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAxMTA3MTkxMTE5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ2Kr4dwEtG7paj+p7bT61qNpAHg0vCScR1TFYJ9AFuPQMEPGEaB7gCf40qGTli8A/ac0EI2vXm8+pKrmu2ae50KltRwInh3rlKQOV3s6p1sGE7cZNc0a8+YjbLtvex6jx7mc+RrPNDX7ztZb5yFXDOxOmXNhcisF7GQLeIXdRp3AzEafDoS0S6N5AJlUCyI3/vHk6FbI8GZtjjj2fvYQKeX/oQyv+KDwx3m7BO6NTaLVCrDBikJZpoajcvmctTlR5u5HgtzIQ6QfZtt3SMPOC7vE4QOwfIS5Y5EJ2H8u5qJ3f7aomyxDUSV8snsvDpXg5Nk6WAOf0Lh10sjWM82Q8wCvaeijVkYMVTJYZXFhkc7C0+c6+19GVNvJlWdbSTeZKCOwCJD2TEiqJfCpeaySqJpvAqMhUj1qL+hX9SNS5uC32FcxVWve/COS1s6piR4GO5GWqErJp5dKDNyxnJWW27pyivcuciKSfj7g4ObXA3ABARzJucyyAV2rAn9N18JwOguGAu3boSDtgvIUYiUAupPK0a7Lf8E+eiLWMsVdX5uXRy2M5Lw/VGJ9EiMbswzfJN05WV5kp1QESUzkIZWMBKmfFJ3JgipR/mSxBXT6+7FQfLWEil3T/1UKE9Rm7Q4k0kcYX/SpzUvgZadwyaI8hbjz3uiaFV9/FSFPrq6qPkxAgMBAAGjMjAwMB0GA1UdDgQWBBTIOzfxNrixzR4oMI+dIEjFy3dMfTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBp13OHOR30C2YvzChrPHZIxlXZWnFJz5nazJy2kvFXCoq+ENu1aTJtpwN0XR0FhLyBhbWDTqoxoxJK33bfPjSn2Vrr44Anpdfjn+wBGfvic8btWTlPE/0g0vYDlv3OmIibf0s7ob/fVNaFiBumJZiPKguGya283ycWRF28JN/mqV7A6r4Py26CtTaGAs36Kzg5hgAxRoXjEMl8PzbYFjRFzteO0OA2Y9p2wp79W+h9JY0rGW/UTQqvUNpV2KfdKf5eGOKv5PHhzcQ56L+RydGaO0BL0WAcy/wvu/rW6+XPDhotNcVbsFGxPdMXUGfbzT5+4ugJv9n95fn3f6EWVitDdt/b1iz55YkbpbHr3YaPT/LVp9qXSHgg0lz9FQsdkssrD2Ete5NdlTOezia4jvxgkb2vdYIWNSURnNJXmH6CPVnrRa4juhjKtXsG0dOdxz5PSRJYmukFy8gl283yeOmDEqSDo9rQ9ywxtcL2IJYHzkmo6vctWnQnUaD8H87zz1YN3f1FbQEXovEDkIB7AiyRG2kfeRNMbEFCd0u1TXajD4z/+4+EGAGYpU7Laqar0PbFAuBe8/SAPfAsYqLdQ5TKIm8f54miRP72ySJ7+4kus25+19LdQmUJM79EKeFw2R6COJRRTvZ4hP3xqwn4yPULDJbU+CBSV9QY1YwU4ziUCQ==", "ServerSignature": "b7cZ72qbdlFxoVfpO/0tHE5xKg0vNw58XJ+PsP/eWucYIkdeP6fnlIwnxnXsvoEWxw3CuGFtcGjY9btemVUwPNMNu2wCsW4Plb9qpUk7TXu6kX0D+z5illmf1+q1/535hHDE0vGVhjFy7mX+LHrPyDC4o+zRjsy970eMY24er5ru4bN4yWrDr/MdoeLABYGFIeJwKEMu0VNjtiNdQ1mbX31uWDuMfJyDpdTZ8aIhxSo7S4Oil7bvpbpmqEPHwd5j3iPK3DdAKhcBAkOfPur2FP3R3iO8bVVWn5noiqU/vsrQq2PCFHvnllFYpYKRTKpla0bxa9WdmRJhAvpgBdUfcQFoIrrDfvO9djA2yTTJxzbDcT3GAdLtvnR9zcaRrrNlSp0NHNrDVjxcSv5bGixB8KKKmt7IKOo/RB6YweBpN+UbKhKo6O5pRaiDohxYS05ncA8UJp+81fMqT6iNNr2vn0CZScqINi1rCy5xoroXMvwnrU/nY+ePB6j8YnZFnspY1LW831Bdz0JLTLeeZrtEOg/6GrfOcQuEQZ+FiqE3xo+cpETksVUvcj/hzGMCnjwtHKe6GM18Li2GfkdTT/6BebbvAFmPvKBdSMkrVS6oVGm3UbEzGo6dqKhHyKqplYvr7/3pThARRvMylERoICs+pf/UWjsfhN52jEBm/FImD6c=", "Group": "NOW"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496940045.0000000004180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.497731455.000000000455A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 4704, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\name.exe, type: DROPPED
Source: Yara match	File source: 4.2.name.exe.455fab8.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.455fab8.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.45640e1.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4127e02.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.name.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wscript.exe.28c2fc970e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4186ef8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.412cc38.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4131261.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.412cc38.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4186ef8.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.418b521.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.455ac82.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wscript.exe.28c2fc970e0.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\name.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\file.exe	Joe Sandbox ML: detected

Source: 4.2.name.exe.53f0000.23.unpack	Avira: Label: TR/NanoCore.fadte
Source: 4.0.name.exe.870000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.name.exe.870000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\file.exe

Unpacked PE file: 3.2.file.exe.650000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\name.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: indows\System.pdbpdbtem.pdbUs source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbn source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: name.exe, 00000004.00000002.499346217.0000000006090000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: name.exe, 00000004.00000002.499421831.00000000060B0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: name.exe, 00000004.00000002.499506024.00000000060E0000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: name.exe, 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: name.exe, 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: name.exe, 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: name.exe, 00000004.00000002.498144630.0000000005370000.00000002.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49694 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 23.238.217.173:6606 -> 192.168.2.7:49695
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49697 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49698 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49705 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49709 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49712 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49720 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49724 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49728 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49729 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49738 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49742 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49748 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49750 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49753 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49754 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49755 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49756 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49759 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49760 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49761 -> 23.238.217.173:54999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49762 -> 23.238.217.173:54999

Potential malicious VBS script found (has network functionality)

Show sources

Source:

Initial file: sYaLfdHYExbHIccGebuwDhvnHgDZNqiyLuQrXYGaHZupgIkVzVJZZnlLcnEzaiKOP.SaveToFile aupOipdfBkKfkFmyoZSOVlUMvEBjbChNioVWvmrMcFinJKwhINmDcSMpZcSdou, DfJOiguDslrEOMzMAfivXYBBqeiSvjJPyklEPxynIQsxccoAUkp

Source: global traffic

TCP traffic: 192.168.2.7:49694 -> 23.238.217.173:54999

Source: Joe Sandbox View

ASN Name: AS40676US AS40676US

Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 23.238.217.173

Source: file.exe, 00000003.00000003.245456484.000000001B488000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000003.00000003.240242347.000000001B35C000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: file.exe, 00000003.00000002.490969329.0000000000BDF000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: file.exe, 00000003.00000003.245456484.000000001B488000.00000004.00000001.sdmp, file.exe, 00000003.00000003.240654494.000000001B321000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: file.exe, 00000003.00000003.240764839.000000001B37C000.00000004.00000001.sdmp, file.exe, 00000003.00000003.240065562.000000001B488000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d06ec5ef7f4de
Source: name.exe, 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: file.exe, 00000003.00000002.492732344.0000000002911000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000003.00000002.492099585.0000000000DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.492732344.0000000002911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 360, type: MEMORY
Source: Yara match	File source: 3.2.file.exe.2912938.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.2912938.6.raw.unpack, type: UNPACKEDPE

Source: name.exe, 00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496940045.0000000004180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.497731455.000000000455A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 4704, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\name.exe, type: DROPPED
Source: Yara match	File source: 4.2.name.exe.455fab8.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.455fab8.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.45640e1.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4127e02.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.name.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wscript.exe.28c2fc970e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4186ef8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.412cc38.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4131261.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.412cc38.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4186ef8.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.418b521.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.455ac82.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wscript.exe.28c2fc970e0.4.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.498075697.0000000005350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.499346217.0000000006090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.499421831.00000000060B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.499738147.0000000006130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.499506024.00000000060E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.499468188.00000000060D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.499649903.0000000006110000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.499439441.00000000060C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.494696991.0000000003173000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.498013207.0000000005320000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497731455.000000000455A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.499285834.0000000006070000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.499244411.0000000006050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.499588089.0000000006100000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.499782274.0000000006160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497341701.00000000042F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wscript.exe PID: 5648, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wscript.exe PID: 5648, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: name.exe PID: 4704, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: name.exe PID: 4704, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\name.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\name.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.31a89d8.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.455fab8.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.32dc3c4.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7dcc70.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7dcc70.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.60c0000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.6050000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.455fab8.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.6100000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.613e8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7cbaf0.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.5320000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.53f0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.45640e1.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.5320000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.53f0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.4127e02.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.4127e02.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.name.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.name.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.6100000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.32e7c4c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.32e7c4c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.6130000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.60b0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7cbaf0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.6160000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.60d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7dcc70.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7dcc70.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wscript.exe.28c2fc970e0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wscript.exe.28c2fc970e0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.60e0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.60d0000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.32d6944.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.32d6944.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.43a63d9.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7cbaf0.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.6050000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.4186ef8.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.60c0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.43b260d.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.412cc38.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.412cc38.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.6134c9f.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.60e0000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.31a89d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.31a89d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wscript.exe.28c2f7dcc70.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7dcc70.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.4131261.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.4131261.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.32dc3c4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7dcc70.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7dcc70.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.6110000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.32dc3c4.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.412cc38.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.32e7c4c.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.6130000.37.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.6160000.38.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.53f4629.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.5350000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.6070000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.31b4c4c.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.4186ef8.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7cbaf0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.6110000.34.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.6090000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.31c92b4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.31c92b4.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.6090000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wscript.exe.28c2f7cbaf0.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.418b521.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.455ac82.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.455ac82.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wscript.exe.28c2f7cbaf0.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wscript.exe.28c2fc970e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wscript.exe.28c2fc970e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.31b4c4c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.31b4c4c.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.43a63d9.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3131398.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.43c6c3a.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.43b260d.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: file.exe.0.dr, Program.cs	Long String: Length: 61440
Source: 3.0.file.exe.650000.0.unpack, Program.cs	Long String: Length: 61440
Source: 3.2.file.exe.650000.0.unpack, Program.cs	Long String: Length: 61440

Source: Invoice PaymentPDF.vbs

Initial sample: Strings found which are bigger than 50

Source: file.exe.0.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\wscript.exe

Section loaded: windows.staterepositoryps.dll

Source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.498075697.0000000005350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.498075697.0000000005350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.499346217.0000000006090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499346217.0000000006090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.499421831.00000000060B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499421831.00000000060B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.499738147.0000000006130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499738147.0000000006130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.499506024.00000000060E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499506024.00000000060E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.499468188.00000000060D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499468188.00000000060D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.499649903.0000000006110000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499649903.0000000006110000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.499439441.00000000060C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499439441.00000000060C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.494696991.0000000003173000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.498013207.0000000005320000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.498013207.0000000005320000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497731455.000000000455A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.499285834.0000000006070000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499285834.0000000006070000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.499244411.0000000006050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499244411.0000000006050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.499588089.0000000006100000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499588089.0000000006100000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.499782274.0000000006160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.499782274.0000000006160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497341701.00000000042F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wscript.exe PID: 5648, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: wscript.exe PID: 5648, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: name.exe PID: 4704, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: name.exe PID: 4704, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Local\Temp\name.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Users\user\AppData\Local\Temp\name.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\name.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.31a89d8.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.31a89d8.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.455fab8.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.455fab8.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.32dc3c4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.32dc3c4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7dcc70.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wscript.exe.28c2f7dcc70.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7dcc70.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.60c0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.60c0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.6050000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6050000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.455fab8.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.455fab8.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.6100000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6100000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.613e8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.613e8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7cbaf0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.5320000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.5320000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.53f0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.53f0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.45640e1.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.45640e1.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.5320000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.5320000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.53f0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.53f0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.4127e02.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.4127e02.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.4127e02.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.name.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.name.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.0.name.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.6100000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6100000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.32e7c4c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.32e7c4c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.32e7c4c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.6130000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6130000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.60b0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.60b0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7cbaf0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6160000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6160000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.60d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.60d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7dcc70.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wscript.exe.28c2f7dcc70.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7dcc70.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.wscript.exe.28c2fc970e0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.wscript.exe.28c2fc970e0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.wscript.exe.28c2fc970e0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.60e0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.60e0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.60d0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.60d0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.32d6944.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.32d6944.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.32d6944.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.43a63d9.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.43a63d9.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7cbaf0.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6050000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6050000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.4186ef8.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.4186ef8.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.60c0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.60c0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.43b260d.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.43b260d.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.412cc38.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.412cc38.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.412cc38.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.6134c9f.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6134c9f.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.60e0000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.60e0000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.31a89d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.31a89d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.31a89d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wscript.exe.28c2f7dcc70.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wscript.exe.28c2f7dcc70.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7dcc70.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.4131261.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.4131261.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.4131261.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.32dc3c4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.32dc3c4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7dcc70.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wscript.exe.28c2f7dcc70.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7dcc70.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.6110000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6110000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.32dc3c4.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.412cc38.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.32e7c4c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.412cc38.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.32e7c4c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.6130000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6130000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.6160000.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6160000.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.53f4629.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.53f4629.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.5350000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.5350000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.6070000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6070000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.31b4c4c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.31b4c4c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.4186ef8.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.4186ef8.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7cbaf0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6110000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6110000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.6090000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6090000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.31c92b4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.31c92b4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.31c92b4.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.6090000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.6090000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.28c2f7cbaf0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.418b521.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.418b521.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.455ac82.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.455ac82.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.455ac82.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wscript.exe.28c2f7cbaf0.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.wscript.exe.28c2fc970e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.wscript.exe.28c2fc970e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.wscript.exe.28c2fc970e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.31b4c4c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.31b4c4c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.31b4c4c.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.43a63d9.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.3131398.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.3131398.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.43c6c3a.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.43b260d.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: name.exe.0.dr

Static PE information: Section: .rsrc ZLIB complexity 0.999720982143

Source: name.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: name.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: name.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.0.name.exe.870000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.name.exe.870000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.name.exe.870000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.name.exe.870000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.name.exe.870000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.name.exe.870000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: name.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: name.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.name.exe.870000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.name.exe.870000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.0.name.exe.870000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.name.exe.870000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winVBS@5/6@0/1

Source: C:\Users\user\AppData\Local\Temp\name.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\name.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b1c4182f-3832-4bd4-8afb-f992cadc9e22}
Source: C:\Users\user\AppData\Local\Temp\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Users\user\AppData\Local\Temp\name.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user~1\AppData\Local\Temp\file.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice PaymentPDF.vbs'

Source: C:\Users\user\AppData\Local\Temp\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\name.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\name.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\name.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\file.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice PaymentPDF.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file.exe 'C:\Users\user~1\AppData\Local\Temp\file.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\name.exe 'C:\Users\user~1\AppData\Local\Temp\name.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file.exe 'C:\Users\user~1\AppData\Local\Temp\file.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\name.exe 'C:\Users\user~1\AppData\Local\Temp\name.exe'

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\name.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\name.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: indows\System.pdbpdbtem.pdbUs source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbn source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: name.exe, 00000004.00000002.499346217.0000000006090000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: name.exe, 00000004.00000002.499421831.00000000060B0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: name.exe, 00000004.00000002.499506024.00000000060E0000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: name.exe, 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: name.exe, 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: name.exe, 00000004.00000002.492712850.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: name.exe, 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: name.exe, 00000004.00000002.498144630.0000000005370000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\file.exe

Unpacked PE file: 3.2.file.exe.650000.0.unpack

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user~1\AppData\Local\Temp\file.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALg8bGAAAAAAAAAAAOAAAgELAQsAAOoBAAD0AQAAAAAA/gc");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user~1\AppData\Local\Temp\file.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKEn6VQAAAAAAAAAAOAADgELAQYAAMgBAABgAQAAAAAAkuc");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user~1\AppData\Local\Temp\name.exe", "2");IWshShell3.Run("C:\Users\user~1\AppData\Local\Temp\file.exe");IWshShell3.Run("C:\Users\user~1\AppData\Local\Temp\name.exe")

.NET source code contains potential unpacker

Show sources

Source: file.exe.0.dr, Program.cs	.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: name.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: name.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.file.exe.650000.0.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.file.exe.650000.0.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.name.exe.870000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.name.exe.870000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.name.exe.870000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.name.exe.870000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\file.exe	Code function: 3_2_00007FFF2AF57DA8 push esp; iretd
Source: C:\Users\user\AppData\Local\Temp\name.exe	Code function: 4_3_04215FE0 pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\name.exe	Code function: 4_3_04215FE0 pushfd ; ret

Source: name.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: name.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.0.name.exe.870000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.0.name.exe.870000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.2.name.exe.870000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.name.exe.870000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\file.exe			Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\name.exe			Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000003.00000002.492099585.0000000000DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.492732344.0000000002911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 360, type: MEMORY
Source: Yara match	File source: 3.2.file.exe.2912938.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.2912938.6.raw.unpack, type: UNPACKEDPE

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\name.exe

File opened: C:\Users\user~1\AppData\Local\Temp\name.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000003.00000002.492099585.0000000000DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.492732344.0000000002911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 360, type: MEMORY
Source: Yara match	File source: 3.2.file.exe.2912938.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.2912938.6.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: file.exe, 00000003.00000002.492099585.0000000000DA0000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\file.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\name.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\file.exe	Window / User API: threadDelayed 2725
Source: C:\Users\user\AppData\Local\Temp\file.exe	Window / User API: threadDelayed 6705
Source: C:\Users\user\AppData\Local\Temp\name.exe	Window / User API: threadDelayed 358
Source: C:\Users\user\AppData\Local\Temp\name.exe	Window / User API: foregroundWindowGot 1043

Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5952	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 1392	Thread sleep count: 2725 > 30
Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 1392	Thread sleep count: 6705 > 30
Source: C:\Users\user\AppData\Local\Temp\name.exe TID: 2868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\name.exe TID: 608	Thread sleep time: -280000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\file.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\file.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\name.exe	Thread delayed: delay time: 922337203685477

Source: wscript.exe, 00000000.00000002.230714967.0000028C2FD30000.00000002.00000001.sdmp, file.exe, 00000003.00000002.499721687.000000001BC20000.00000002.00000001.sdmp, name.exe, 00000004.00000002.499940397.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: file.exe, 00000003.00000002.492099585.0000000000DA0000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: file.exe, 00000003.00000003.366663135.000000001B395000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.230714967.0000028C2FD30000.00000002.00000001.sdmp, file.exe, 00000003.00000002.499721687.000000001BC20000.00000002.00000001.sdmp, name.exe, 00000004.00000002.499940397.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.230714967.0000028C2FD30000.00000002.00000001.sdmp, file.exe, 00000003.00000002.499721687.000000001BC20000.00000002.00000001.sdmp, name.exe, 00000004.00000002.499940397.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: name.exe, 00000004.00000003.350778767.0000000000E9A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000000.00000002.230714967.0000028C2FD30000.00000002.00000001.sdmp, file.exe, 00000003.00000002.499721687.000000001BC20000.00000002.00000001.sdmp, name.exe, 00000004.00000002.499940397.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\name.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\file.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\name.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\file.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: file.exe.0.dr

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file.exe 'C:\Users\user~1\AppData\Local\Temp\file.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\name.exe 'C:\Users\user~1\AppData\Local\Temp\name.exe'

Source: file.exe, 00000003.00000002.492969519.000000000297A000.00000004.00000001.sdmp	Binary or memory string: Program Manager(
Source: file.exe, 00000003.00000002.492522908.0000000001400000.00000002.00000001.sdmp, name.exe, 00000004.00000002.492058242.0000000001700000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: file.exe, 00000003.00000002.499479072.000000001B4AA000.00000004.00000001.sdmp, name.exe, 00000004.00000003.350778767.0000000000E9A000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: file.exe, 00000003.00000002.492522908.0000000001400000.00000002.00000001.sdmp, name.exe, 00000004.00000002.492058242.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000003.00000002.492522908.0000000001400000.00000002.00000001.sdmp, name.exe, 00000004.00000002.492058242.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: name.exe, 00000004.00000002.496562917.00000000033A5000.00000004.00000001.sdmp	Binary or memory string: Program ManagerpW
Source: file.exe, 00000003.00000002.492522908.0000000001400000.00000002.00000001.sdmp, name.exe, 00000004.00000002.492058242.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: name.exe, 00000004.00000003.454931424.0000000000E9A000.00000004.00000001.sdmp	Binary or memory string: Program Manager0_
Source: name.exe, 00000004.00000003.277700956.0000000000E9A000.00000004.00000001.sdmp	Binary or memory string: Program Managert$
Source: file.exe, 00000003.00000002.493169087.0000000002999000.00000004.00000001.sdmp	Binary or memory string: Program Manager0yo

Source: C:\Users\user\AppData\Local\Temp\file.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\file.exe VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000003.00000002.492099585.0000000000DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.492732344.0000000002911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 360, type: MEMORY
Source: Yara match	File source: 3.2.file.exe.2912938.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.2912938.6.raw.unpack, type: UNPACKEDPE

Source: file.exe, 00000003.00000003.245299369.000000001B374000.00000004.00000001.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496940045.0000000004180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.497731455.000000000455A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 4704, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\name.exe, type: DROPPED
Source: Yara match	File source: 4.2.name.exe.455fab8.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.455fab8.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.45640e1.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4127e02.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.name.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wscript.exe.28c2fc970e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4186ef8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.412cc38.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4131261.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.412cc38.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4186ef8.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.418b521.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.455ac82.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wscript.exe.28c2fc970e0.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: wscript.exe, 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: name.exe, 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: name.exe, 00000004.00000002.498075697.0000000005350000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: name.exe, 00000004.00000002.499421831.00000000060B0000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: name.exe, 00000004.00000002.499506024.00000000060E0000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: name.exe, 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: name.exe, 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: name.exe.0.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496940045.0000000004180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.497731455.000000000455A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 4704, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\name.exe, type: DROPPED
Source: Yara match	File source: 4.2.name.exe.455fab8.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.455fab8.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.45640e1.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4127e02.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.name.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wscript.exe.28c2fc970e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4186ef8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.412cc38.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4131261.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.28c2f7dcc70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.412cc38.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.53f4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.4186ef8.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.418b521.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.455ac82.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wscript.exe.28c2fc970e0.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection12	Masquerading1	Input Capture11	Query Registry1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Non-Standard Port1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	DLL Side-Loading1	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery131	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting221	Logon Script (Windows)	DLL Side-Loading1	Virtualization/Sandbox Evasion31	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution1	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Virtualization/Sandbox Evasion31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting221	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information12	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing22	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	DLL Side-Loading1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\name.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Users\user\AppData\Local\Temp\name.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\file.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.name.exe.53f0000.23.unpack	100%	Avira	TR/NanoCore.fadte	Download File
4.0.name.exe.870000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.name.exe.870000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000003.00000002.492732344.0000000002911000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.238.217.173	unknown	United States		40676	AS40676US	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	382764
Start date:	06.04.2021
Start time:	16:31:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 3s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Invoice PaymentPDF.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@5/6@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 184.30.21.144, 2.20.142.209, 2.20.142.210, 168.61.161.212, 184.30.24.56, 13.88.21.125, 20.50.102.62, 52.147.198.201, 40.88.32.150, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 104.42.151.234, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:31:57	API Interceptor	994x Sleep call for process: name.exe modified
16:32:03	API Interceptor	1x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS40676US	g0g865fQ2S.exe	Get hash	malicious	Browse	172.107.55.6
	4xMdbgzeJQ.exe	Get hash	malicious	Browse	172.106.71.28
	DtE7OndZYB.exe	Get hash	malicious	Browse	104.217.62.116
	Gt8AN6GiOD.exe	Get hash	malicious	Browse	172.107.55.6
	1LHKlbcoW3.exe	Get hash	malicious	Browse	172.107.55.6
	ZwNJI24QAf.exe	Get hash	malicious	Browse	172.107.55.6
	MV Sky Marine_pdf.exe	Get hash	malicious	Browse	172.106.71.28
	quLdcfImUL.exe	Get hash	malicious	Browse	107.160.235.31
	Swift.exe	Get hash	malicious	Browse	107.160.235.31
	w.exe	Get hash	malicious	Browse	172.106.0.71
	7.exe	Get hash	malicious	Browse	172.106.0.71
	BSG_ptf.exe	Get hash	malicious	Browse	107.160.127.252
	Tax Invoice_309221.exe	Get hash	malicious	Browse	172.93.163.101
	bXSINeHUUZ.dll	Get hash	malicious	Browse	23.228.215.119
	PAYMENTSWIFT COPY.PDF.exe	Get hash	malicious	Browse	107.160.235.10
	Archivo.CarrefourOnliner.efasvtr.qKUjVasadm.vbs	Get hash	malicious	Browse	172.107.45.224
	smokeweed.vbs	Get hash	malicious	Browse	154.16.67.107
	jvHSccqW.exe	Get hash	malicious	Browse	154.16.67.107
	N5eld3tiba.exe	Get hash	malicious	Browse	172.107.43.174
	shed.exe	Get hash	malicious	Browse	172.106.242.148

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Local\Temp\file.exe
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Local\Temp\file.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.1120436261832696
Encrypted:	false
SSDEEP:	6:kK+fkwTJ6YN+SkQlPlEGYRMY9z+4KlDA3RUe0ht:GkwTJ6HkPlE99SNxAhUe0ht
MD5:	BA0575EB4D46A9D8A3A8E2398BF53D2F
SHA1:	324F765E21FDA9DC079940097B03F1D022C95E87
SHA-256:	33C4B79161DB3CE59A51170AD656296A29CD535695C83703060A29995D3B0156
SHA-512:	75F23A24AEA6A305ECB4FC113565E396AA282ED5860ACAAFC298F7C4CEDC80F509EFEF6302D73CED0AB0E8C93E622D1C79BD6111BC7534BEDA2FEE4A7F901295
Malicious:	false
Reputation:	low
Preview:	p...... ........c..=+..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...

C:\Users\user\AppData\Local\Temp\file.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	253952
Entropy (8bit):	5.107675207273867
Encrypted:	false
SSDEEP:	3072:vrdQJkVIb71u5aEYLUfh5+u/0a2HBrvyIBfn8+ux221Hl:OJk071cacfh5+CJK+
MD5:	76D2BB0F57BBF02E190055FCDB3663DB
SHA1:	D2AC68C0F7284EA67072BD396D1CC20A83BE4D95
SHA-256:	B1BD43F34BFCC14D04E27D65D0CEFC7064BCC536758B6CA48F0F786040EFAA71
SHA-512:	F848C3CEFE0BA112F4BA80427785E9654EC22F0625FCD30892C00949EE98E83517C334FE5A5F8E96A03C1149D7B05DCFE50CE460E52EE0C519AAFB689168D8BF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<l`................................. ... ....@.. .......................@............@.....................................W.... ....................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc....... ......................@..B........................H........ ...............................................................~....(....o...........o....(.....r...pr...pr...po....r...pr...po....(...........(....*...BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID.......0...#Blob...........W.........%3........................................................G.@...r.`.............................`...6.`...S.`...r.`.....`.....`.....`.................`...R.8.....`.....`.....@.....`.....@...

C:\Users\user\AppData\Local\Temp\name.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	7.4478668113025845
Encrypted:	false
SSDEEP:	6144:wLV6Bta6dtJmakIM5fFmHi8ieZv00yRQ+E2c6:wLV6BtpmksFmC83KWH2c6
MD5:	50B53CECA7021AD9ABEA4074A634680A
SHA1:	90A934B90A726E47625451C58417BB4314730C41
SHA-256:	72FFB8177D08CF4E454B1E38FD83BC8681FD5FFE91336BC3D3611EE9823FD498
SHA-512:	B7E6D8F4AA99CF2FAB81A1EB7CAE6191C95B2D52FD1D5B4B7093483A283F59AC2A1AACFFA332E83890815541AEAC6B4B06A02B93DADE9A64820124F870F7138D
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\name.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\name.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\name.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\name.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\name.exe
File Type:	data
Category:	dropped
Size (bytes):	2088
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhDjhL
MD5:	84864902DEC5038CEF326FF21E8D5F98
SHA1:	2F10FEC81D95813C3B2530EC4CECED70164A08C5
SHA-256:	5B4853A46F99AC6445B68DC1A841D511D0E86C6EDEC2A0A84F3778039A578B6B
SHA-512:	A77BCDB522CE208C8D785F44D9FE90C6D1314CB199A4BE72E220F4B8C5446265EEEF1C51EFFD2D7BDCCDC8F4A76F803A41A4973364757950D0777E8BAEF0B14C
Malicious:	false
Reputation:	low
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\name.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:8htn:y
MD5:	FB6B1642D0452C3108CB83017340C8F1
SHA1:	2F9FC413A65B9F3B720266284A7360657E30E17D
SHA-256:	29346F09E16F22AE462C50E61036CC88A2CF0CB789D7895EEF9B1CBEB379EB84
SHA-512:	9828FBF3A07A76A41839634FCC5DE7A6E4696729A9401012228FF01C0D4B8F66AADA3875086F9D8C570ECD947037077A7CD331AA486F59EED0523BBB47D7ADFA
Malicious:	true
Reputation:	low
Preview:	...+T..H

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	5.345616839723832
TrID:	Visual Basic Script (13500/0) 87.10% Disk Image (Macintosh), GPT (2000/0) 12.90%
File name:	Invoice PaymentPDF.vbs
File size:	678447
MD5:	3911ee0964b7aa57b411fe3d88d304d6
SHA1:	b6f21d1f4a6f3329e8403038906fc93a7872fcee
SHA256:	ea5784a4389f86bb28ec9ca5fc099b5d4e8791983ce7b66df5c1cf8cb01e5952
SHA512:	bf206257cd473d35a751f1802aba1f7f10f87ef94ffd92bd7c8d001bf07e5335c66a92d743c941445dc37eb23bc7fec6343b3e4cf446d7cadf989c1d0ca005fc
SSDEEP:	12288:irzreo/goc/lNlQiBsrvGnCH6wonm724W1VVh8FEfZkKw:UregH4NW8srvGCa5trV0FwkB
File Content Preview:	on error resume next..Dim JpeJpoKJowKEZgOlpSmLmJSzleJKfhfZVmevyiVZPhyddgTpiapRcRLAXeXLezdHRljnCTnGwMvELoWFKTcFrNxDaeYTKKuPErMsxgnPmjVPVHoiISAKXYPEnfNYuUwlRgAUcdHegNSIriiTpqLsJksfbIFSTPUSnjxpGUFeKWeJGHMExtjEIEbhnUsUYpKRszVIlsMU..'kghnGiZTvAUZfQKiHQBlblFULM

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/06/21-16:31:59.464981	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49694	54999	192.168.2.7	23.238.217.173
04/06/21-16:32:03.421526	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	6606	49695	23.238.217.173	192.168.2.7
04/06/21-16:32:05.489425	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49697	54999	192.168.2.7	23.238.217.173
04/06/21-16:32:12.060625	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49698	54999	192.168.2.7	23.238.217.173
04/06/21-16:32:18.068574	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49705	54999	192.168.2.7	23.238.217.173
04/06/21-16:32:24.411153	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49709	54999	192.168.2.7	23.238.217.173
04/06/21-16:32:28.964583	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49712	54999	192.168.2.7	23.238.217.173
04/06/21-16:32:36.130837	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	54999	192.168.2.7	23.238.217.173
04/06/21-16:32:40.669412	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	54999	192.168.2.7	23.238.217.173
04/06/21-16:32:46.808761	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	54999	192.168.2.7	23.238.217.173
04/06/21-16:32:52.822544	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49729	54999	192.168.2.7	23.238.217.173
04/06/21-16:32:58.962642	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49738	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:05.180390	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:09.773608	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49748	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:14.353287	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49750	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:21.303198	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49753	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:27.525754	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49754	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:32.134776	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49755	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:38.233306	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49756	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:44.457596	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49759	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:50.533266	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49760	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:55.244682	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49761	54999	192.168.2.7	23.238.217.173
04/06/21-16:33:59.826832	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49762	54999	192.168.2.7	23.238.217.173

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 6, 2021 16:31:59.144707918 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:31:59.308810949 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:31:59.309655905 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:31:59.464981079 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:31:59.649559021 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:31:59.650315046 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:31:59.875344038 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:31:59.875505924 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.040448904 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.040903091 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.267366886 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.267471075 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.487400055 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.487564087 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.494333982 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.494363070 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.494375944 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.494393110 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.494482040 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.494499922 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.660765886 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.660799026 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.660820007 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.660840034 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.660861015 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.660861015 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.660897017 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.660916090 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.660922050 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.660942078 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.660944939 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.660970926 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.660998106 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.825064898 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825093031 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825115919 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825136900 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825145960 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.825158119 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825179100 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.825182915 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825206041 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825222015 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.825227022 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825248957 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825249910 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.825269938 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825287104 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.825290918 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825314045 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825320959 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.825335979 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825361013 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.825361013 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825397968 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825406075 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.825421095 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.825437069 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.825469971 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.990700006 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990727901 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990741968 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990756035 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990772009 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990787983 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990793943 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.990806103 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990824938 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990843058 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990849018 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.990859985 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990878105 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.990880013 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990899086 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990906000 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.990916014 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990931988 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.990932941 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990951061 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990962982 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.990967035 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990983963 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.990999937 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.991002083 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991023064 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991034985 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.991040945 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991059065 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991065979 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.991075039 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991091967 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991099119 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.991108894 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991126060 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991128922 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.991142988 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991152048 CEST	49694	54999	192.168.2.7	23.238.217.173
Apr 6, 2021 16:32:00.991163015 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991180897 CEST	54999	49694	23.238.217.173	192.168.2.7
Apr 6, 2021 16:32:00.991190910 CEST	49694	54999	192.168.2.7	23.238.217.173

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 6, 2021 16:31:46.956240892 CEST	62452	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:31:47.002151966 CEST	53	62452	8.8.8.8	192.168.2.7
Apr 6, 2021 16:31:49.708651066 CEST	57820	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:31:49.767714977 CEST	53	57820	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:04.124748945 CEST	50848	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:04.182363033 CEST	53	50848	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:15.063349009 CEST	61242	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:15.112181902 CEST	53	61242	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:16.151714087 CEST	58562	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:16.208039999 CEST	53	58562	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:16.225825071 CEST	56590	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:16.271897078 CEST	53	56590	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:17.452346087 CEST	60501	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:17.504942894 CEST	53	60501	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:18.735611916 CEST	53775	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:18.785016060 CEST	53	53775	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:19.834711075 CEST	51837	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:19.889540911 CEST	53	51837	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:20.993029118 CEST	55411	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:21.042897940 CEST	53	55411	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:26.621511936 CEST	63668	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:26.672574043 CEST	53	63668	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:28.742068052 CEST	54640	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:28.789588928 CEST	53	54640	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:30.523845911 CEST	58739	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:30.570034027 CEST	53	58739	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:31.304320097 CEST	60338	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:31.353317022 CEST	53	60338	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:32.524560928 CEST	58717	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:32.570400953 CEST	53	58717	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:33.645565987 CEST	59762	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:33.691447020 CEST	53	59762	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:34.718178988 CEST	54329	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:34.764749050 CEST	53	54329	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:35.502871037 CEST	58052	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:35.551671982 CEST	53	58052	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:36.580980062 CEST	54008	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:36.626964092 CEST	53	54008	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:37.516587019 CEST	59451	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:37.564519882 CEST	53	59451	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:39.747912884 CEST	52914	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:39.794955969 CEST	53	52914	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:40.890270948 CEST	64569	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:40.940371990 CEST	53	64569	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:42.571144104 CEST	52816	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:42.627120018 CEST	53	52816	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:42.650916100 CEST	50781	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:42.709528923 CEST	53	50781	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:54.902240992 CEST	54230	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:54.959589958 CEST	53	54230	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:55.588939905 CEST	54911	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:55.644551039 CEST	53	54911	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:56.063314915 CEST	49958	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:56.125809908 CEST	50860	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:56.126456022 CEST	53	49958	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:56.184194088 CEST	53	50860	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:56.654314995 CEST	50452	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:56.708714962 CEST	53	50452	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:57.310209990 CEST	59730	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:57.358108997 CEST	53	59730	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:57.946122885 CEST	59310	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:58.003563881 CEST	53	59310	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:58.504122019 CEST	51919	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:58.558964014 CEST	53	51919	8.8.8.8	192.168.2.7
Apr 6, 2021 16:32:59.549380064 CEST	64296	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:32:59.609319925 CEST	53	64296	8.8.8.8	192.168.2.7
Apr 6, 2021 16:33:00.874543905 CEST	56680	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:33:00.928958893 CEST	53	56680	8.8.8.8	192.168.2.7
Apr 6, 2021 16:33:01.924225092 CEST	58820	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:33:01.978292942 CEST	53	58820	8.8.8.8	192.168.2.7
Apr 6, 2021 16:33:07.199218988 CEST	60983	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:33:07.257049084 CEST	53	60983	8.8.8.8	192.168.2.7
Apr 6, 2021 16:33:13.683300018 CEST	49247	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:33:13.729132891 CEST	53	49247	8.8.8.8	192.168.2.7
Apr 6, 2021 16:33:14.862555981 CEST	52286	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:33:14.908555984 CEST	53	52286	8.8.8.8	192.168.2.7
Apr 6, 2021 16:33:17.566824913 CEST	56064	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:33:17.612814903 CEST	53	56064	8.8.8.8	192.168.2.7
Apr 6, 2021 16:33:39.852117062 CEST	63744	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:33:39.898274899 CEST	53	63744	8.8.8.8	192.168.2.7
Apr 6, 2021 16:33:43.389631987 CEST	61457	53	192.168.2.7	8.8.8.8
Apr 6, 2021 16:33:43.454875946 CEST	53	61457	8.8.8.8	192.168.2.7

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 5648 Parent PID: 3292

General

Start time:	16:31:53
Start date:	06/04/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice PaymentPDF.vbs'
Imagebase:	0x7ff6e8cd0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.221036890.0000028C2F7DD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.221395842.0000028C2F7BC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.225834139.0000028C2F7B2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.221500985.0000028C2F7BC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.221285702.0000028C2F8E7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.225899093.0000028C2F7B4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.225743694.0000028C2F7B2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.229634460.0000028C2F7B6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.230491203.0000028C2FC10000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.221435986.0000028C2F7BC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	high

Analysis Process: file.exe PID: 360 Parent PID: 5648

General

Start time:	16:31:56
Start date:	06/04/2021
Path:	C:\Users\user\AppData\Local\Temp\file.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user~1\AppData\Local\Temp\file.exe'
Imagebase:	0x650000
File size:	253952 bytes
MD5 hash:	76D2BB0F57BBF02E190055FCDB3663DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.492099585.0000000000DA0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.492732344.0000000002911000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: name.exe PID: 4704 Parent PID: 5648

General

Start time:	16:31:56
Start date:	06/04/2021
Path:	C:\Users\user\AppData\Local\Temp\name.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user~1\AppData\Local\Temp\name.exe'
Imagebase:	0x870000
File size:	207360 bytes
MD5 hash:	50B53CECA7021AD9ABEA4074A634680A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.498075697.0000000005350000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.498075697.0000000005350000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000000.224566255.0000000000872000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.496683014.0000000004121000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499346217.0000000006090000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499346217.0000000006090000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499421831.00000000060B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499421831.00000000060B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499738147.0000000006130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499738147.0000000006130000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.496940045.0000000004180000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499506024.00000000060E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499506024.00000000060E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499468188.00000000060D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499468188.00000000060D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499649903.0000000006110000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499649903.0000000006110000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000004.00000002.495651138.00000000032CF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.498280487.00000000053F0000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499439441.00000000060C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499439441.00000000060C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000004.00000002.494696991.0000000003173000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.498013207.0000000005320000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.498013207.0000000005320000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.497731455.000000000455A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.497731455.000000000455A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499285834.0000000006070000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499285834.0000000006070000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499244411.0000000006050000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499244411.0000000006050000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499588089.0000000006100000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499588089.0000000006100000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.499782274.0000000006160000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.499782274.0000000006160000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000004.00000002.497341701.00000000042F7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\name.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\name.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\name.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\name.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Invoice PaymentPDF.vbs

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: AsyncRAT

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: wscript.exe PID: 5648 Parent PID: 3292

General

Analysis Process: file.exe PID: 360 Parent PID: 5648

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre