Analysis Report INVOIC #CTR 110510H001347.exe

AV Detection:

Found malware configuration

Source: 00000006.00000002.920330118.0000000003BF1000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "faa60493-d519-4c8d-8ff8-8e7cd20e", "Group": "Default", "Domain1": "79.134.225.17", "Domain2": "127.0.0.1", "Port": 2050, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Roaming\VwvbEzxTQmiw.exe	ReversingLabs: Detection: 29%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000012.00000002.749734495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.738973461.0000000003828000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.922946801.0000000005F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.917997308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920330118.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.751674147.0000000002911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.751817230.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681081392.0000000004137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 7112, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 6720, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4552, type: MEMORY
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c0cff9.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f14629.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.38dc850.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3bf454d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395ff24.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.396454d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395ff24.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.38dc850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\VwvbEzxTQmiw.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: INVOIC #CTR 110510H001347.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 18.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.unpack	Avira: Label: TR/NanoCore.fadte

Compliance:

Uses 32bit PE files

Source: INVOIC #CTR 110510H001347.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: INVOIC #CTR 110510H001347.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: System.pdbE source: INVOIC #CTR 110510H001347.exe, 00000006.00000003.911566189.00000000066E9000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb6 source: INVOIC #CTR 110510H001347.exe, 00000006.00000003.911586437.00000000066F9000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\System.pdb*Z source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.918913855.000000000105C000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbl source: INVOIC #CTR 110510H001347.exe, 00000006.00000003.911566189.00000000066E9000.00000004.00000001.sdmp
Source:	Binary string: i,C:\Windows\System.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.918913855.000000000105C000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000003.911586437.00000000066F9000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb9 source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.923955790.00000000066C2000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbt source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.923955790.00000000066C2000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000003.911586437.00000000066F9000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h		0_2_01751758
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h		0_2_017516E3
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		0_2_051677B4
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		0_2_0516B1E8
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then push dword ptr [ebp-24h]		0_2_0565CC18
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh		0_2_0565CC18
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_0565BE10
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_0565C014
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then push dword ptr [ebp-24h]		0_2_0565CC0C
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh		0_2_0565CC0C
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then push dword ptr [ebp-20h]		0_2_0565C8ED
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh		0_2_0565C8ED
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then push dword ptr [ebp-20h]		0_2_0565C8F8
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh		0_2_0565C8F8
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then xor edx, edx		0_2_0565CB46
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then xor edx, edx		0_2_0565CB50
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		6_2_062FF1C0
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		6_2_062FA988
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		6_2_062FF226
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		6_2_062FF1BA
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		6_2_062FA979
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h		8_2_01011758
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h		8_2_01011653

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49749 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49752 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49754 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49755 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49787 -> 79.134.225.17:2050
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49788 -> 79.134.225.17:2050

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 79.134.225.17
Source: Malware configuration extractor	URLs: 127.0.0.1

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49745 -> 79.134.225.17:2050

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.17

URLs found in memory or binary data

Source: dhcpmon.exe, 00000008.00000002.736440488.00000000027D1000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.680822597.00000000035F0000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736440488.00000000027D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dhcpmon.exe, 00000008.00000002.736440488.00000000027D1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/1
Source: dhcpmon.exe, 00000008.00000002.736440488.00000000027D1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/downloads/
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000003.667947872.00000000036A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736440488.00000000027D1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000003.667947872.00000000036A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736440488.00000000027D1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.html
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000003.667947872.00000000036A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736440488.00000000027D1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.htmlc
Source: dhcpmon.exe, 00000008.00000002.736440488.00000000027D1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000003.667947872.00000000036A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736440488.00000000027D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000003.667947872.00000000036A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736440488.00000000027D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: dhcpmon.exe, 00000008.00000002.735148709.0000000000B38000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.922946801.0000000005F10000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000012.00000002.749734495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.738973461.0000000003828000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.922946801.0000000005F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.917997308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920330118.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.751674147.0000000002911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.751817230.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681081392.0000000004137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 7112, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 6720, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4552, type: MEMORY
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c0cff9.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f14629.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.38dc850.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3bf454d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395ff24.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.396454d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395ff24.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.38dc850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000012.00000002.749734495.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.749734495.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.922515364.0000000005650000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.924419002.0000000006AC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.738973461.0000000003828000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.738973461.0000000003828000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.924619659.0000000006B30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.922946801.0000000005F10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.917997308.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.917997308.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.924483216.0000000006AE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.922665909.00000000056A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.923514818.00000000062D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.751674147.0000000002911000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.924513831.0000000006AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.922694661.00000000056C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.751817230.0000000003919000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.923487313.00000000062C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.922580530.0000000005680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.920693142.0000000003E91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.922431506.0000000005630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.922598044.0000000005690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.923603184.00000000062E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.681081392.0000000004137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.681081392.0000000004137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 1256, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 1256, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 7112, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 7112, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 6720, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 6720, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 4552, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 4552, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.INVOIC #CTR 110510H001347.exe.5690000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.56c0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.62e0000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.62d0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3c0cff9.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ac0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3eed147.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.62e0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.5f14629.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.38dc850.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.38dc850.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.INVOIC #CTR 110510H001347.exe.3bf454d.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.56a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.INVOIC #CTR 110510H001347.exe.62c0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ac0000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.395ff24.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ae0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3eed147.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3eed147.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.INVOIC #CTR 110510H001347.exe.6b30000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.396454d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c3243c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c3243c.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.INVOIC #CTR 110510H001347.exe.6af4c9f.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.395ff24.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3f043a6.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.5690000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ef5f76.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.5650000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.INVOIC #CTR 110510H001347.exe.5630000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.6b30000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c261f4.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.62d0000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ba9930.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3bb81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3f043a6.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ef5f76.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.6af0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ae0000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c3243c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ba9930.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.56a0000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.5680000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.5630000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3bae5cf.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.5650000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.dhcpmon.exe.2979658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.6afe8a4.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.395b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.395b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.INVOIC #CTR 110510H001347.exe.6af0000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.2bfef98.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.dhcpmon.exe.38dc850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.38dc850.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c261f4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c261f4.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

PE file contains section with special chars

Source: INVOIC #CTR 110510H001347.exe	Static PE information: section name: >yhX~ gc
Source: VwvbEzxTQmiw.exe.0.dr	Static PE information: section name: >yhX~ gc
Source: dhcpmon.exe.6.dr	Static PE information: section name: >yhX~ gc

PE file has nameless sections

Source: INVOIC #CTR 110510H001347.exe	Static PE information: section name:
Source: VwvbEzxTQmiw.exe.0.dr	Static PE information: section name:
Source: dhcpmon.exe.6.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_017504E8		0_2_017504E8
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01753880		0_2_01753880
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01752650		0_2_01752650
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01752E83		0_2_01752E83
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_0175257F		0_2_0175257F
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01751979		0_2_01751979
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_0175255B		0_2_0175255B
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01756D28		0_2_01756D28
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01756D19		0_2_01756D19
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_017561E0		0_2_017561E0
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_0175A990		0_2_0175A990
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_017568F8		0_2_017568F8
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_017568E8		0_2_017568E8
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_0175B370		0_2_0175B370
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01753311		0_2_01753311
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01756F11		0_2_01756F11
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01756B00		0_2_01756B00
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_0175A388		0_2_0175A388
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01756270		0_2_01756270
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01756260		0_2_01756260
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01756AF0		0_2_01756AF0
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_05165ED0		0_2_05165ED0
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_051688D0		0_2_051688D0
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_0565F750		0_2_0565F750
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_0565DD48		0_2_0565DD48
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_056506E8		0_2_056506E8
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_056506F8		0_2_056506F8
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_05652F08		0_2_05652F08
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_05652F18		0_2_05652F18
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_05658A38		0_2_05658A38
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_0565D3D0		0_2_0565D3D0
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0085DC8E		6_2_0085DC8E
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0504E471		6_2_0504E471
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0504E480		6_2_0504E480
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0504BBD4		6_2_0504BBD4
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_062F8720		6_2_062F8720
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_062F0040		6_2_062F0040
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_062F7B08		6_2_062F7B08
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_062F87DE		6_2_062F87DE
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0715ED62		6_2_0715ED62
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0715B438		6_2_0715B438
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0715AB68		6_2_0715AB68
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_07152BB0		6_2_07152BB0
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_071502F0		6_2_071502F0
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_07150F08		6_2_07150F08
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_07150FC6		6_2_07150FC6
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_071537C8		6_2_071537C8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01013883		8_2_01013883
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_010104E1		8_2_010104E1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01012650		8_2_01012650
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01012E79		8_2_01012E79
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01016D19		8_2_01016D19
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01016D28		8_2_01016D28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0101255B		8_2_0101255B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0101197B		8_2_0101197B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0101257F		8_2_0101257F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0101A990		8_2_0101A990
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_010168F3		8_2_010168F3
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_010168F8		8_2_010168F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01016B00		8_2_01016B00
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01013311		8_2_01013311
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01016F1B		8_2_01016F1B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0101B370		8_2_0101B370
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0101A388		8_2_0101A388
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01016260		8_2_01016260
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01016270		8_2_01016270
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01016AFB		8_2_01016AFB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0991BD90		8_2_0991BD90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09919410		8_2_09919410
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_099182D0		8_2_099182D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0991C6D8		8_2_0991C6D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09918640		8_2_09918640
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0991411C		8_2_0991411C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09916500		8_2_09916500
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09913C88		8_2_09913C88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_099158B2		8_2_099158B2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_099134F1		8_2_099134F1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_099164F0		8_2_099164F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09915810		8_2_09915810
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09914017		8_2_09914017
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09919400		8_2_09919400
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0991580F		8_2_0991580F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09919037		8_2_09919037
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09919038		8_2_09919038
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0991003F		8_2_0991003F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09910040		8_2_09910040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09913C79		8_2_09913C79
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_099137F0		8_2_099137F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_099137EF		8_2_099137EF
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09919707		8_2_09919707
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09913F30		8_2_09913F30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09913F3F		8_2_09913F3F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09913F40		8_2_09913F40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09914374		8_2_09914374
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09912EA8		8_2_09912EA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_099182C0		8_2_099182C0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09912EF8		8_2_09912EF8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0991961D		8_2_0991961D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09919636		8_2_09919636
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0991863F		8_2_0991863F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_005ADC8E		18_2_005ADC8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0277E471		18_2_0277E471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0277E480		18_2_0277E480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0277BBD4		18_2_0277BBD4

Sample file is different than original file name gathered from version info

Source: INVOIC #CTR 110510H001347.exe	Binary or memory string: OriginalFilename vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.685377817.0000000005680000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.680822597.00000000035F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIDisposable.exeF vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.680822597.00000000035F0000.00000004.00000001.sdmp	Binary or memory string: "l,\\StringFileInfo\\000004B0\\OriginalFilename vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000003.667947872.00000000036A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.685742101.000000000A1F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.685354430.0000000005670000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.685782436.000000000A240000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.685782436.000000000A240000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.681081392.0000000004137000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe	Binary or memory string: OriginalFilename vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924419002.0000000006AC0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924619659.0000000006B30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.922830330.0000000005E20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924656572.0000000006B40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.922946801.0000000005F10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.922946801.0000000005F10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924513831.0000000006AF0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924513831.0000000006AF0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924513831.0000000006AF0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs INVOIC #CTR 110510H001347.exe
Source: INVOIC #CTR 110510H001347.exe	Binary or memory string: OriginalFilenameIDisposable.exeF vs INVOIC #CTR 110510H001347.exe

Uses 32bit PE files

Source: INVOIC #CTR 110510H001347.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000012.00000002.749734495.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.749734495.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.922515364.0000000005650000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.922515364.0000000005650000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.924419002.0000000006AC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.924419002.0000000006AC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.738973461.0000000003828000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.738973461.0000000003828000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.924619659.0000000006B30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.924619659.0000000006B30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.922946801.0000000005F10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.922946801.0000000005F10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.917997308.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.917997308.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.924483216.0000000006AE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.924483216.0000000006AE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.922665909.00000000056A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.922665909.00000000056A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.923514818.00000000062D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.923514818.00000000062D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.751674147.0000000002911000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.924513831.0000000006AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.924513831.0000000006AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.922694661.00000000056C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.922694661.00000000056C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.751817230.0000000003919000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.923487313.00000000062C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.923487313.00000000062C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.922580530.0000000005680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.922580530.0000000005680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.920693142.0000000003E91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.922431506.0000000005630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.922431506.0000000005630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.922598044.0000000005690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.922598044.0000000005690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.923603184.00000000062E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.923603184.00000000062E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.681081392.0000000004137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.681081392.0000000004137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 1256, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 1256, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 7112, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 7112, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 6720, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 6720, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 4552, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 4552, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.INVOIC #CTR 110510H001347.exe.5690000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5690000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.56c0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.56c0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.62e0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.62e0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.62d0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.62d0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3c0cff9.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3c0cff9.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ac0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ac0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3eed147.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3eed147.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.62e0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.62e0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5f14629.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5f14629.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.38dc850.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.38dc850.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.38dc850.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.INVOIC #CTR 110510H001347.exe.3bf454d.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3bf454d.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.56a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.56a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.INVOIC #CTR 110510H001347.exe.62c0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.62c0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ac0000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ac0000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.395ff24.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.395ff24.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ae0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ae0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3eed147.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3eed147.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3eed147.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.INVOIC #CTR 110510H001347.exe.6b30000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6b30000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.396454d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.396454d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c3243c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c3243c.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.INVOIC #CTR 110510H001347.exe.6af4c9f.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6af4c9f.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.395ff24.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.395ff24.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3f043a6.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3f043a6.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5690000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5690000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ef5f76.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ef5f76.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5650000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5650000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.INVOIC #CTR 110510H001347.exe.5630000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5630000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6b30000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6b30000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c261f4.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c261f4.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.62d0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.62d0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ba9930.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ba9930.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3bb81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3bb81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3f043a6.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3f043a6.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ef5f76.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ef5f76.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6af0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6af0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ae0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6ae0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c3243c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c3243c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ba9930.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3ba9930.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.56a0000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.56a0000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5680000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5680000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5630000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5630000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3bae5cf.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3bae5cf.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5650000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.5650000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.dhcpmon.exe.2979658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.2979658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6afe8a4.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6afe8a4.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.395b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.395b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.395b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.INVOIC #CTR 110510H001347.exe.6af0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.6af0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.INVOIC #CTR 110510H001347.exe.2bfef98.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.dhcpmon.exe.38dc850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.38dc850.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c261f4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.INVOIC #CTR 110510H001347.exe.2c261f4.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Source: INVOIC #CTR 110510H001347.exe	Static PE information: Section: >yhX~ gc ZLIB complexity 1.00031603573
Source: VwvbEzxTQmiw.exe.0.dr	Static PE information: Section: >yhX~ gc ZLIB complexity 1.00031603573
Source: dhcpmon.exe.6.dr	Static PE information: Section: >yhX~ gc ZLIB complexity 1.00031603573

.NET source code contains calls to encryption/decryption functions

Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 18.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 18.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

.NET source code contains many API calls related to security

Source: 18.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 18.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/12@0/1

Creates files inside the program directory

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

File created: C:\Users\user\AppData\Roaming\VwvbEzxTQmiw.exe

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\pJktCtXORtNqXwNSpkLJlHm
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{faa60493-d519-4c8d-8ff8-8e7cd20e9967}

Creates temporary files

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

File created: C:\Users\user\AppData\Local\Temp\tmp105.tmp

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

SQL strings found in memory and binary data

Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Sample reads its own file content

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

File read: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe:Zone.Identifier

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe 'C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe'
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VwvbEzxTQmiw' /XML 'C:\Users\user\AppData\Local\Temp\tmp105.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process created: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VwvbEzxTQmiw' /XML 'C:\Users\user\AppData\Local\Temp\tmp774E.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VwvbEzxTQmiw' /XML 'C:\Users\user\AppData\Local\Temp\tmp105.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process created: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VwvbEzxTQmiw' /XML 'C:\Users\user\AppData\Local\Temp\tmp774E.tmp'			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: INVOIC #CTR 110510H001347.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: INVOIC #CTR 110510H001347.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: System.pdbE source: INVOIC #CTR 110510H001347.exe, 00000006.00000003.911566189.00000000066E9000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb6 source: INVOIC #CTR 110510H001347.exe, 00000006.00000003.911586437.00000000066F9000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\System.pdb*Z source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.918913855.000000000105C000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbl source: INVOIC #CTR 110510H001347.exe, 00000006.00000003.911566189.00000000066E9000.00000004.00000001.sdmp
Source:	Binary string: i,C:\Windows\System.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.918913855.000000000105C000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000003.911586437.00000000066F9000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb9 source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.923955790.00000000066C2000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbt source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.923955790.00000000066C2000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000003.911586437.00000000066F9000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Unpacked PE file: 0.2.INVOIC #CTR 110510H001347.exe.ca0000.0.unpack >yhX~ gc:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 8.2.dhcpmon.exe.480000.0.unpack >yhX~ gc:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

.NET source code contains potential unpacker

Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

PE file contains sections with non-standard names

Source: INVOIC #CTR 110510H001347.exe	Static PE information: section name: >yhX~ gc
Source: INVOIC #CTR 110510H001347.exe	Static PE information: section name:
Source: VwvbEzxTQmiw.exe.0.dr	Static PE information: section name: >yhX~ gc
Source: VwvbEzxTQmiw.exe.0.dr	Static PE information: section name:
Source: dhcpmon.exe.6.dr	Static PE information: section name: >yhX~ gc
Source: dhcpmon.exe.6.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_00D59973 push ds; ret		0_2_00D59977
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_00D58D7C pushad ; iretd		0_2_00D58D94
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01759523 push ds; ret		0_2_01759527
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_0175952D push ds; ret		0_2_01759531
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01757FC9 push dword ptr [esp+edi*4]; ret		0_2_01757FCC
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_01757FBF push dword ptr [esp+edi*4]; ret		0_2_01757FC2
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 0_2_05652391 push B0056391h; retf		0_2_0565239D
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0085F692 push cs; retf		6_2_0085F6A2
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0085F6C8 push cs; retf		6_2_0085F6DE
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0085FACA push ss; retf		6_2_0085FACE
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0085F6E0 push cs; retf		6_2_0085F720
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0085FC02 push ds; retf		6_2_0085FC06
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0085FC14 push ds; retf		6_2_0085FC24
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0085F416 push cs; retf		6_2_0085F6A2
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0085FC26 push ds; retf		6_2_0085FC2A
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_062FB622 push 8B000005h; retf		6_2_062FB627
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Code function: 6_2_0715FCC2 push eax; retf		6_2_0715FCC9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_00539973 push ds; ret		8_2_00539977
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_00538D7C pushad ; iretd		8_2_00538D94
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01017FBF push dword ptr [esp+edi*4]; ret		8_2_01017FC2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_01017FC9 push dword ptr [esp+edi*4]; ret		8_2_01017FCC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_010136C9 push ss; iretd		8_2_010136CA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_099175F1 push ss; retf		8_2_099175F2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09917902 push ss; retf		8_2_09917903
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0991A149 push ss; retf		8_2_0991A14A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_099128D9 push ss; retf		8_2_099128DA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_099128FD push ss; retf		8_2_099128FE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09917848 push ss; retf		8_2_09917849
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_0991287D push ss; retf		8_2_0991283A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09918060 push ss; retf		8_2_09918061
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_09917F87 push ss; retf		8_2_09917F89

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: >yhX~ gc entropy: 7.99979614293
Source: initial sample	Static PE information: section name: >yhX~ gc entropy: 7.99979614293
Source: initial sample	Static PE information: section name: >yhX~ gc entropy: 7.99979614293

.NET source code contains many randomly named methods

Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 18.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 18.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	File created: C:\Users\user\AppData\Roaming\VwvbEzxTQmiw.exe			Jump to dropped file
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VwvbEzxTQmiw' /XML 'C:\Users\user\AppData\Local\Temp\tmp105.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

File opened: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 6720, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4552, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.678988274.0000000003133000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Window / User API: threadDelayed 4426			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Window / User API: threadDelayed 4894			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Window / User API: foregroundWindowGot 700			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Window / User API: foregroundWindowGot 627			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe TID: 6724	Thread sleep time: -99218s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe TID: 6752	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe TID: 6900	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe TID: 6336	Thread sleep time: -11068046444225724s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2456	Thread sleep time: -104291s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6280	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6928	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6748	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Thread delayed: delay time: 99218			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 104291			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924656572.0000000006B40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 00000008.00000003.733161877.000000000B560000.00000004.00000001.sdmp	Binary or memory string: .egaqEmuQgQ
Source: dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924656572.0000000006B40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924656572.0000000006B40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000008.00000002.736570519.0000000002821000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924656572.0000000006B40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

Code function: 0_2_01751758 CheckRemoteDebuggerPresent,

0_2_01751758

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Memory written: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VwvbEzxTQmiw' /XML 'C:\Users\user\AppData\Local\Temp\tmp105.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Process created: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VwvbEzxTQmiw' /XML 'C:\Users\user\AppData\Local\Temp\tmp774E.tmp'			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919053113.0000000001510000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919053113.0000000001510000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924854119.0000000006FEC000.00000004.00000001.sdmp	Binary or memory string: Program Managerram Manager
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	Binary or memory string: Program ManagerD$Vkp8
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.922803271.0000000005E1B000.00000004.00000001.sdmp	Binary or memory string: Program Managerram Manager4g
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.920215931.00000000031AF000.00000004.00000001.sdmp	Binary or memory string: Program Manager8
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919631028.0000000002DC8000.00000004.00000001.sdmp	Binary or memory string: Program Managerx
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919053113.0000000001510000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.923803296.000000000657C000.00000004.00000001.sdmp	Binary or memory string: Program Manager4
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919821191.0000000002F1A000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHaVk8
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.923060986.000000000607B000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.923456831.00000000062BC000.00000004.00000001.sdmp	Binary or memory string: Program Manager x

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

Code function: 6_2_07151FF0 GetSystemTimes,

6_2_07151FF0

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\INVOIC #CTR 110510H001347.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000012.00000002.749734495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.738973461.0000000003828000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.922946801.0000000005F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.917997308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920330118.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.751674147.0000000002911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.751817230.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681081392.0000000004137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 7112, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 6720, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4552, type: MEMORY
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c0cff9.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f14629.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.38dc850.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3bf454d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395ff24.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.396454d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395ff24.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.38dc850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: INVOIC #CTR 110510H001347.exe, 00000000.00000002.681081392.0000000004137000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.924419002.0000000006AC0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: INVOIC #CTR 110510H001347.exe, 00000006.00000002.919364714.0000000002BF8000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: dhcpmon.exe, 00000008.00000002.738973461.0000000003828000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000012.00000002.749734495.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000012.00000002.751674147.0000000002911000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 00000012.00000002.749734495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.738973461.0000000003828000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.922946801.0000000005F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.917997308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920330118.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.751674147.0000000002911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.751817230.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681081392.0000000004137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 7112, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOIC #CTR 110510H001347.exe PID: 6720, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4552, type: MEMORY
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c0cff9.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f14629.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.38dc850.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3bf454d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395ff24.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.5f10000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.396454d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395ff24.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.INVOIC #CTR 110510H001347.exe.3c089d0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.395b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.38dc850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOIC #CTR 110510H001347.exe.41ec490.2.raw.unpack, type: UNPACKEDPE