Loading ...

Play interactive tourEdit tour

Analysis Report b2NaDSFu9T.exe

Overview

General Information

Sample Name:b2NaDSFu9T.exe
Analysis ID:402647
MD5:042aa11c6d49e1cca5923f02d1b0a5ae
SHA1:5a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA256:3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • b2NaDSFu9T.exe (PID: 5340 cmdline: 'C:\Users\user\Desktop\b2NaDSFu9T.exe' MD5: 042AA11C6D49E1CCA5923F02D1B0A5AE)
    • RegSvcs.exe (PID: 4892 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": ".0.0.0,", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2a02ad:$x1: NanoCore.ClientPluginHost
    • 0x3252cd:$x1: NanoCore.ClientPluginHost
    • 0x2a02ea:$x2: IClientNetworkHost
    • 0x32530a:$x2: IClientNetworkHost
    • 0x2a3e1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x328e3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x2a0015:$a: NanoCore
      • 0x2a0025:$a: NanoCore
      • 0x2a0259:$a: NanoCore
      • 0x2a026d:$a: NanoCore
      • 0x2a02ad:$a: NanoCore
      • 0x325035:$a: NanoCore
      • 0x325045:$a: NanoCore
      • 0x325279:$a: NanoCore
      • 0x32528d:$a: NanoCore
      • 0x3252cd:$a: NanoCore
      • 0x2a0074:$b: ClientPlugin
      • 0x2a0276:$b: ClientPlugin
      • 0x2a02b6:$b: ClientPlugin
      • 0x325094:$b: ClientPlugin
      • 0x325296:$b: ClientPlugin
      • 0x3252d6:$b: ClientPlugin
      • 0x2a019b:$c: ProjectData
      • 0x3251bb:$c: ProjectData
      • 0x2a0ba2:$d: DESCrypto
      • 0x325bc2:$d: DESCrypto
      • 0x2a856e:$e: KeepAlive
      Process Memory Space: b2NaDSFu9T.exe PID: 5340JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x951ad:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x951ea:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        • 0x98d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0x94f15:$a: NanoCore
          • 0x94f25:$a: NanoCore
          • 0x95159:$a: NanoCore
          • 0x9516d:$a: NanoCore
          • 0x951ad:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x94f74:$b: ClientPlugin
          • 0x95176:$b: ClientPlugin
          • 0x951b6:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x9509b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x95aa2:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          0.2.b2NaDSFu9T.exe.41a1120.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe38d:$x1: NanoCore.ClientPluginHost
          • 0xe3ca:$x2: IClientNetworkHost
          • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          0.2.b2NaDSFu9T.exe.41a1120.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe105:$x1: NanoCore Client.exe
          • 0xe38d:$x2: NanoCore.ClientPluginHost
          • 0xf9c6:$s1: PluginCommand
          • 0xf9ba:$s2: FileCommand
          • 0x1086b:$s3: PipeExists
          • 0x16622:$s4: PipeCreated
          • 0xe3b7:$s5: IClientLoggingHost
          Click to see the 2 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 4892, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": ".0.0.0,", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: b2NaDSFu9T.exeVirustotal: Detection: 17%Perma Link
          Source: b2NaDSFu9T.exeReversingLabs: Detection: 17%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE
          Source: b2NaDSFu9T.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: b2NaDSFu9T.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: mscorrc.pdb source: b2NaDSFu9T.exe, 00000000.00000002.263181372.0000000005110000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04F50460
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04F50451
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04F505A8
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04F50598

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49707 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49716 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49721 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49724 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49728 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49729 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49730 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49731 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49738 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49744 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49745 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49746 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49750 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49759 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49760 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49761 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49762 -> 79.134.225.26:1133
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49763 -> 79.134.225.26:1133
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: 79.134.225.26
          Source: Malware configuration extractorURLs: nassiru1166main.ddns.net
          Source: global trafficTCP traffic: 192.168.2.7:49707 -> 79.134.225.26:1133
          Source: Joe Sandbox ViewIP Address: 79.134.225.26 79.134.225.26
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
          Source: b2NaDSFu9T.exeString found in binary or memory: https://github.com/unguest
          Source: b2NaDSFu9T.exeString found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: b2NaDSFu9T.exe, 00000000.00000002.258151442.0000000001069000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_04F60032 NtQuerySystemInformation,0_2_04F60032
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_04F60007 NtQuerySystemInformation,0_2_04F60007
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B942900_2_02B94290
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B926200_2_02B92620
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B974680_2_02B97468
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B939880_2_02B93988
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B931800_2_02B93180
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B951300_2_02B95130
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B942820_2_02B94282
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B96AF80_2_02B96AF8
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B96AE80_2_02B96AE8
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B97ED00_2_02B97ED0
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B95E280_2_02B95E28
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B96E200_2_02B96E20
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B9BA200_2_02B9BA20
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B95E190_2_02B95E19
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B926100_2_02B92610
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B96E100_2_02B96E10
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B972680_2_02B97268
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B972580_2_02B97258
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B97E540_2_02B97E54
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B94FFF0_2_02B94FFF
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B930D00_2_02B930D0
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B9BC380_2_02B9BC38
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B950380_2_02B95038
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B970180_2_02B97018
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B970080_2_02B97008
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B974590_2_02B97459
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B9B5980_2_02B9B598
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B93DE80_2_02B93DE8
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B939380_2_02B93938
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B939780_2_02B93978
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_04F501330_2_04F50133
          Source: b2NaDSFu9T.exeBinary or memory string: OriginalFilename vs b2NaDSFu9T.exe
          Source: b2NaDSFu9T.exe, 00000000.00000002.263411006.0000000005260000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs b2NaDSFu9T.exe
          Source: b2NaDSFu9T.exe, 00000000.00000002.263841980.00000000057A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs b2NaDSFu9T.exe
          Source: b2NaDSFu9T.exe, 00000000.00000002.263181372.0000000005110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs b2NaDSFu9T.exe
          Source: b2NaDSFu9T.exe, 00000000.00000002.258151442.0000000001069000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs b2NaDSFu9T.exe
          Source: b2NaDSFu9T.exeBinary or memory string: OriginalFilenameInterfaceTypeAttribute.exe6 vs b2NaDSFu9T.exe
          Source: b2NaDSFu9T.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: b2NaDSFu9T.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@3/3@0/1
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\b2NaDSFu9T.exe.logJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{21f4355e-8257-4e77-8f1b-c822c6ea3cbe}
          Source: b2NaDSFu9T.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: b2NaDSFu9T.exeVirustotal: Detection: 17%
          Source: b2NaDSFu9T.exeReversingLabs: Detection: 17%
          Source: unknownProcess created: C:\Users\user\Desktop\b2NaDSFu9T.exe 'C:\Users\user\Desktop\b2NaDSFu9T.exe'
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: b2NaDSFu9T.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: b2NaDSFu9T.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: b2NaDSFu9T.exeStatic file information: File size 1141760 > 1048576
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: b2NaDSFu9T.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x115800
          Source: b2NaDSFu9T.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: mscorrc.pdb source: b2NaDSFu9T.exe, 00000000.00000002.263181372.0000000005110000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_007C8A79 push cs; iretd 0_2_007C8BA4
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_007C9E79 push cs; retf 0_2_007C9E84
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_007C9477 push cs; ret 0_2_007C9484
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_007C9E87 push cs; retf 0_2_007C9EA0
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeCode function: 0_2_02B99072 push cs; ret 0_2_02B99073
          Source: initial sampleStatic PE information: section name: .text entropy: 7.96059480846

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: b2NaDSFu9T.exe PID: 5340, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 364Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 645Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 731Jump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exe TID: 3888Thread sleep time: -100818s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exe TID: 4920Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exe TID: 2840Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeThread delayed: delay time: 100818Jump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000Jump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000Jump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 824008Jump to behavior
          Source: C:\Users\user\Desktop\b2NaDSFu9T.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
          Source: RegSvcs.exe, 00000001.00000003.316775849.0000000000E52000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RAT