Loading ...

Play interactive tourEdit tour

Analysis Report n4CeZTejKM.exe

Overview

General Information

Sample Name:n4CeZTejKM.exe
Analysis ID:383183
MD5:b8362f2f6e0353819fa0dd8a35ef6a58
SHA1:f1cb392fa0fd6acbb6eb1d858064a74fd5272ff3
SHA256:0ef41dabaa6af07317dd45595f15625cb7517650bb13b365de0717d3cad26197
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • n4CeZTejKM.exe (PID: 6528 cmdline: 'C:\Users\user\Desktop\n4CeZTejKM.exe' MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • powershell.exe (PID: 6640 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\n4CeZTejKM.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6660 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6788 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • n4CeZTejKM.exe (PID: 6804 cmdline: C:\Users\user\Desktop\n4CeZTejKM.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • n4CeZTejKM.exe (PID: 6900 cmdline: C:\Users\user\Desktop\n4CeZTejKM.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
  • dhcpmon.exe (PID: 5820 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • powershell.exe (PID: 6120 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 1020 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DD8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6132 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 3348 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • dhcpmon.exe (PID: 6324 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • dhcpmon.exe (PID: 2168 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • dhcpmon.exe (PID: 6712 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "744b568e-a77e-4db4-a930-a5348ceb", "Group": "NWANWA", "Domain1": "lastme11.ddns.net", "Domain2": "127.0.0.1", "Port": 8282, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    Click to see the 32 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    23.2.dhcpmon.exe.3f1e434.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    23.2.dhcpmon.exe.3f1e434.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    23.2.dhcpmon.exe.3f1e434.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      9.2.n4CeZTejKM.exe.5f00000.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      9.2.n4CeZTejKM.exe.5f00000.9.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      Click to see the 68 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\n4CeZTejKM.exe, ProcessId: 6900, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\n4CeZTejKM.exe' , ParentImage: C:\Users\user\Desktop\n4CeZTejKM.exe, ParentProcessId: 6528, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp', ProcessId: 6660

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "744b568e-a77e-4db4-a930-a5348ceb", "Group": "NWANWA", "Domain1": "lastme11.ddns.net", "Domain2": "127.0.0.1", "Port": 8282, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": ""}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 18%Perma Link
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 68%
      Source: C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exeMetadefender: Detection: 18%Perma Link
      Source: C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exeReversingLabs: Detection: 68%
      Multi AV Scanner detection for submitted fileShow sources
      Source: n4CeZTejKM.exeVirustotal: Detection: 42%Perma Link
      Source: n4CeZTejKM.exeMetadefender: Detection: 18%Perma Link
      Source: n4CeZTejKM.exeReversingLabs: Detection: 68%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.484515558.00000000046B7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6900, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6528, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6712, type: MEMORY
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f1e434.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f00000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3ef4b80.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46be434.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46c2a5d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f00000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f22a5d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3d34b80.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3dfa8d0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46be434.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f04629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f1e434.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f195fe.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3ef4b80.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3d34b80.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3c3a8d0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46b95fe.5.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: n4CeZTejKM.exeJoe Sandbox ML: detected
      Source: 9.2.n4CeZTejKM.exe.5f00000.9.unpackAvira: Label: TR/NanoCore.fadte
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 23.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: n4CeZTejKM.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: n4CeZTejKM.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: n4CeZTejKM.exe, 00000009.00000002.477387335.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: n4CeZTejKM.exe, 00000001.00000002.220301959.0000000004FE0000.00000002.00000001.sdmp, n4CeZTejKM.exe, 00000009.00000002.486778263.0000000005C10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.271352812.0000000002810000.00000002.00000001.sdmp
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_04F5CA70
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_0268C268

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: lastme11.ddns.net
      Source: Malware configuration extractorURLs: 127.0.0.1
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: lastme11.ddns.net
      Source: global trafficTCP traffic: 192.168.2.3:49705 -> 194.5.98.9:8282
      Source: Joe Sandbox ViewIP Address: 194.5.98.9 194.5.98.9
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.177
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.177
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.177
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownDNS traffic detected: queries for: lastme11.ddns.net
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 0000000B.00000002.438581357.0000000004641000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000002.00000003.303550932.0000000004E8B000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.313150171.0000000005098000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
      Source: n4CeZTejKM.exe, 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: n4CeZTejKM.exe, 00000001.00000002.212751327.0000000000F3A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: n4CeZTejKM.exe, 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.484515558.00000000046B7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6900, type: MEMORY
      Source: Yara match