Source: Yara match | File source: 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY |
Source: Yara match | File source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY |
Source: Yara match | File source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE |
Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000005.00000002.606732011.0000000005B50000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 5.2.RegSvcs.exe.5b50000.7.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000005.00000002.606732011.0000000005B50000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000005.00000002.606732011.0000000005B50000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 5.2.RegSvcs.exe.5b50000.7.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 5.2.RegSvcs.exe.5b50000.7.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: Select * from Clientes WHERE id=@id;; |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data); |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: Select * from SecurityLogonType WHERE id=@id; |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo; |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade); |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone); |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data); |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor); |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo) |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\New_Order.pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: RegSvcs.exe, 00000005.00000002.607474197.0000000006D90000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: vmware |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath " |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: VMWARE |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: RegSvcs.exe, 00000005.00000002.607474197.0000000006D90000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: RegSvcs.exe, 00000005.00000002.607474197.0000000006D90000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II |
Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp | Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
Source: RegSvcs.exe, 00000005.00000002.607474197.0000000006D90000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: Yara match | File source: 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY |
Source: Yara match | File source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY |
Source: Yara match | File source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE |