Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report c3yBu1IF57.exe

Overview

General Information

Sample Name:c3yBu1IF57.exe
Analysis ID:431593
MD5:04f4a27d282ec9ea66549f35b6ff0559
SHA1:8b8f849c58baa0b439c74310986d6702e45ea118
SHA256:4da007eb010d6b86861eced1f00ec48423dedc7aec6b0f7942e668c16ebe82d3
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • c3yBu1IF57.exe (PID: 5564 cmdline: 'C:\Users\user\Desktop\c3yBu1IF57.exe' MD5: 04F4A27D282EC9EA66549F35B6FF0559)
    • schtasks.exe (PID: 5408 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp24AD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • c3yBu1IF57.exe (PID: 6080 cmdline: C:\Users\user\Desktop\c3yBu1IF57.exe 0 MD5: 04F4A27D282EC9EA66549F35B6FF0559)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "aa01ad7d-c4c6-4050-b975-9fe8a3c1", "Group": "SPK#0998", "Domain1": "sawitupnew.expackplc.club", "Domain2": "sawitupnew.expackplc.club", "Port": 44322, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
c3yBu1IF57.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
c3yBu1IF57.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
c3yBu1IF57.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    c3yBu1IF57.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x2396f:$a: NanoCore
        • 0x239c8:$a: NanoCore
        • 0x23a05:$a: NanoCore
        • 0x23a7e:$a: NanoCore
        • 0x29262:$a: NanoCore
        • 0x292ac:$a: NanoCore
        • 0x29496:$a: NanoCore
        • 0x239d1:$b: ClientPlugin
        • 0x23a0e:$b: ClientPlugin
        • 0x2430c:$b: ClientPlugin
        • 0x24319:$b: ClientPlugin
        • 0x28ffb:$b: ClientPlugin
        • 0x2926b:$b: ClientPlugin
        • 0x292b5:$b: ClientPlugin
        • 0x297cd:$c: ProjectData
        • 0x19137:$e: KeepAlive
        • 0x23e59:$g: LogClientMessage
        • 0x296c0:$g: LogClientMessage
        • 0x23dd9:$i: get_Connected
        • 0x19227:$j: #=q
        • 0x19257:$j: #=q
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.c3yBu1IF57.exe.39bed06.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x4083:$x1: NanoCore.ClientPluginHost
        5.2.c3yBu1IF57.exe.39bed06.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x4083:$x2: NanoCore.ClientPluginHost
        • 0x4161:$s4: PipeCreated
        • 0x409d:$s5: IClientLoggingHost
        5.2.c3yBu1IF57.exe.2993b90.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x42d2:$x1: NanoCore.ClientPluginHost
        5.2.c3yBu1IF57.exe.2993b90.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x42d2:$x2: NanoCore.ClientPluginHost
        • 0x43b0:$s4: PipeCreated
        • 0x42ec:$s5: IClientLoggingHost
        5.2.c3yBu1IF57.exe.39c9579.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        Click to see the 29 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\c3yBu1IF57.exe, ProcessId: 5564, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\c3yBu1IF57.exe, ProcessId: 5564, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\c3yBu1IF57.exe, ProcessId: 5564, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\c3yBu1IF57.exe, ProcessId: 5564, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: c3yBu1IF57.exeAvira: detected
        Found malware configurationShow sources
        Source: 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "aa01ad7d-c4c6-4050-b975-9fe8a3c1", "Group": "SPK#0998", "Domain1": "sawitupnew.expackplc.club", "Domain2": "sawitupnew.expackplc.club", "Port": 44322, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: c3yBu1IF57.exeReversingLabs: Detection: 97%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: c3yBu1IF57.exe, type: SAMPLE
        Source: Yara matchFile source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.219165813.0000000003971000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3yBu1IF57.exe PID: 6080, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3yBu1IF57.exe PID: 5564, type: MEMORY
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c9579.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c9579.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39bed06.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c3b43.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: c3yBu1IF57.exeJoe Sandbox ML: detected
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: c3yBu1IF57.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: c3yBu1IF57.exe, 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmp

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49712 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49719 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49725 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49726 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 79.134.225.92:44322
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 79.134.225.92:44322
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: sawitupnew.expackplc.club
        Source: global trafficTCP traffic: 192.168.2.3:49712 -> 79.134.225.92:44322
        Source: Joe Sandbox ViewIP Address: 79.134.225.92 79.134.225.92
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: unknownDNS traffic detected: queries for: sawitupnew.expackplc.club
        Source: c3yBu1IF57.exe, 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: c3yBu1IF57.exe, type: SAMPLE
        Source: Yara matchFile source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.219165813.0000000003971000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3yBu1IF57.exe PID: 6080, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3yBu1IF57.exe PID: 5564, type: MEMORY
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c9579.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c9579.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39bed06.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c3b43.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: c3yBu1IF57.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: c3yBu1IF57.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.219165813.0000000003971000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: c3yBu1IF57.exe PID: 6080, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: c3yBu1IF57.exe PID: 6080, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: c3yBu1IF57.exe PID: 5564, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: c3yBu1IF57.exe PID: 5564, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.c3yBu1IF57.exe.39bed06.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.c3yBu1IF57.exe.2993b90.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.c3yBu1IF57.exe.39c9579.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.c3yBu1IF57.exe.2998c1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.c3yBu1IF57.exe.2993b90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.c3yBu1IF57.exe.39c9579.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.c3yBu1IF57.exe.39bed06.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.c3yBu1IF57.exe.39bed06.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.c3yBu1IF57.exe.39c3b43.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.c3yBu1IF57.exe.39c3b43.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeCode function: 5_2_003B524A
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeCode function: 5_2_04BB2FA8
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeCode function: 5_2_04BB23A0
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeCode function: 5_2_04BB3850
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeCode function: 5_2_04BB306F
        Source: c3yBu1IF57.exe, 00000005.00000002.219567678.0000000004CC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs c3yBu1IF57.exe
        Source: c3yBu1IF57.exe, 00000005.00000002.218595241.0000000000A7A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs c3yBu1IF57.exe
        Source: c3yBu1IF57.exe, 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs c3yBu1IF57.exe
        Source: c3yBu1IF57.exe, 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs c3yBu1IF57.exe
        Source: c3yBu1IF57.exe, 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs c3yBu1IF57.exe
        Source: c3yBu1IF57.exe, 00000005.00000002.219165813.0000000003971000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs c3yBu1IF57.exe
        Source: c3yBu1IF57.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: c3yBu1IF57.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: c3yBu1IF57.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: c3yBu1IF57.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.219165813.0000000003971000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: c3yBu1IF57.exe PID: 6080, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: c3yBu1IF57.exe PID: 6080, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: c3yBu1IF57.exe PID: 5564, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: c3yBu1IF57.exe PID: 5564, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.c3yBu1IF57.exe.39bed06.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.c3yBu1IF57.exe.39bed06.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.c3yBu1IF57.exe.2993b90.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.c3yBu1IF57.exe.2993b90.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.c3yBu1IF57.exe.39c9579.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.c3yBu1IF57.exe.39c9579.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.c3yBu1IF57.exe.2998c1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.c3yBu1IF57.exe.2998c1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.c3yBu1IF57.exe.2993b90.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.c3yBu1IF57.exe.2993b90.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.c3yBu1IF57.exe.39c9579.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.c3yBu1IF57.exe.39c9579.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.c3yBu1IF57.exe.39bed06.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.c3yBu1IF57.exe.39bed06.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.c3yBu1IF57.exe.39bed06.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.c3yBu1IF57.exe.39c3b43.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.c3yBu1IF57.exe.39c3b43.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.c3yBu1IF57.exe.39c3b43.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: c3yBu1IF57.exeStatic PE information: Section: .rsrc ZLIB complexity 0.997152549342
        Source: c3yBu1IF57.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: c3yBu1IF57.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: c3yBu1IF57.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: c3yBu1IF57.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: c3yBu1IF57.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@20/1
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_01
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{aa01ad7d-c4c6-4050-b975-9fe8a3c113d0}
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeFile created: C:\Users\user\AppData\Local\Temp\tmp24AD.tmpJump to behavior
        Source: c3yBu1IF57.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: c3yBu1IF57.exeReversingLabs: Detection: 97%
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeFile read: C:\Users\user\Desktop\c3yBu1IF57.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\c3yBu1IF57.exe 'C:\Users\user\Desktop\c3yBu1IF57.exe'
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp24AD.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\c3yBu1IF57.exe C:\Users\user\Desktop\c3yBu1IF57.exe 0
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp24AD.tmp'
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: c3yBu1IF57.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: c3yBu1IF57.exe, 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: c3yBu1IF57.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: c3yBu1IF57.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: c3yBu1IF57.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: c3yBu1IF57.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp24AD.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeFile opened: C:\Users\user\Desktop\c3yBu1IF57.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeWindow / User API: foregroundWindowGot 1022
        Source: C:\Users\user\Desktop\c3yBu1IF57.exe TID: 5612Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\c3yBu1IF57.exe TID: 5620Thread sleep time: -500000s >= -30000s
        Source: C:\Users\user\Desktop\c3yBu1IF57.exe TID: 4812Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp24AD.tmp'
        Source: C:\Users\user\Desktop\c3yBu1IF57.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: c3yBu1IF57.exe, type: SAMPLE
        Source: Yara matchFile source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.219165813.0000000003971000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3yBu1IF57.exe PID: 6080, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3yBu1IF57.exe PID: 5564, type: MEMORY
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c9579.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c9579.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39bed06.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c3b43.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: c3yBu1IF57.exe, 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: c3yBu1IF57.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: c3yBu1IF57.exe, 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: c3yBu1IF57.exe, 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: c3yBu1IF57.exeString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: c3yBu1IF57.exe, type: SAMPLE
        Source: Yara matchFile source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.219165813.0000000003971000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3yBu1IF57.exe PID: 6080, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3yBu1IF57.exe PID: 5564, type: MEMORY
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c9579.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c9579.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.c3yBu1IF57.exe.e20000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39bed06.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.39c3b43.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.c3yBu1IF57.exe.3b0000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection11Masquerading1Input Capture11Process Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        c3yBu1IF57.exe98%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
        c3yBu1IF57.exe100%AviraTR/Dropper.MSIL.Gen7
        c3yBu1IF57.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        0.0.c3yBu1IF57.exe.e20000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.0.c3yBu1IF57.exe.3b0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.2.c3yBu1IF57.exe.3b0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        sawitupnew.expackplc.club
        		79.134.225.92
        		truetrue
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          79.134.225.92
          		sawitupnew.expackplc.clubSwitzerland
          		6775FINK-TELECOM-SERVICESCHtrue

          General Information

          Joe Sandbox Version:32.0.0 Black Diamond
          Analysis ID:431593
          Start date:09.06.2021
          Start time:00:14:22
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 6m 3s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:c3yBu1IF57.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:28
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@5/5@20/1
          EGA Information:Failed
          HDC Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • TCP Packets have been reduced to 100
          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 23.218.209.198, 13.88.21.125, 52.147.198.201, 23.211.6.115, 13.64.90.137, 104.43.193.48, 168.61.161.212, 104.42.151.234, 40.88.32.150, 23.218.208.56, 20.82.209.183, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.50.102.62
          • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net
          • Not all processes where analyzed, report is missing behavior information
          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/431593/sample/c3yBu1IF57.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          00:15:10API Interceptor1045x Sleep call for process: c3yBu1IF57.exe modified
          00:15:11Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\c3yBu1IF57.exe" s>$(Arg0)

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          79.134.225.92l00VLAF9y0xQ9Vr.exeGet hashmaliciousBrowse
            Gyb49LK8hq.exeGet hashmaliciousBrowse
              ORDER-210067.xls.exeGet hashmaliciousBrowse
                n7dIHuG3v6.exeGet hashmaliciousBrowse
                  F6JT4fXIAQ.exeGet hashmaliciousBrowse
                    Waybill Doc_pdf.exeGet hashmaliciousBrowse
                      ORDER-0319.pdf.exeGet hashmaliciousBrowse
                        SecuriteInfo.com.Trojan.Win32.Save.a.31706.exeGet hashmaliciousBrowse
                          ORDER-21031566AF.exeGet hashmaliciousBrowse
                            10UNv6Ul0W.exeGet hashmaliciousBrowse
                              ORDER-02108 xls.exeGet hashmaliciousBrowse
                                ORDER #0206.exeGet hashmaliciousBrowse
                                  ORDER #210 xls.exeGet hashmaliciousBrowse
                                    ORDER-2114 doc.exeGet hashmaliciousBrowse
                                      INVOICE-0966542R.exeGet hashmaliciousBrowse
                                        Quotation.exeGet hashmaliciousBrowse
                                          ORDER #0421 pdf.exeGet hashmaliciousBrowse
                                            Payment Copy.exeGet hashmaliciousBrowse
                                              Pi.exeGet hashmaliciousBrowse
                                                SecuriteInfo.com.Trojan.GenericKD.45131634.12155.exeGet hashmaliciousBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  sawitupnew.expackplc.clubl00VLAF9y0xQ9Vr.exeGet hashmaliciousBrowse
                                                  • 79.134.225.92

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  FINK-TELECOM-SERVICESCHDPSGNwkO1Z.exeGet hashmaliciousBrowse
                                                  • 79.134.225.25
                                                  SecuriteInfo.com.Trojan.Win32.Save.a.16917.exeGet hashmaliciousBrowse
                                                  • 79.134.225.94
                                                  AedJpyQ9lM.exeGet hashmaliciousBrowse
                                                  • 79.134.225.90
                                                  H538065217Invoice.exeGet hashmaliciousBrowse
                                                  • 79.134.225.9
                                                  Purchase Order Price List.xlsxGet hashmaliciousBrowse
                                                  • 79.134.225.90
                                                  P.I-84512.docGet hashmaliciousBrowse
                                                  • 79.134.225.41
                                                  l00VLAF9y0xQ9Vr.exeGet hashmaliciousBrowse
                                                  • 79.134.225.92
                                                  Swift [ref QT #U2013 2102001-R2]pdf.exeGet hashmaliciousBrowse
                                                  • 79.134.225.10
                                                  PO756654.exeGet hashmaliciousBrowse
                                                  • 79.134.225.99
                                                  qdFDmi3Bhy.exeGet hashmaliciousBrowse
                                                  • 79.134.225.90
                                                  br.exeGet hashmaliciousBrowse
                                                  • 79.134.225.73
                                                  Yeni sipari#U015f _WJO-001, pdf.exeGet hashmaliciousBrowse
                                                  • 79.134.225.71
                                                  as.exeGet hashmaliciousBrowse
                                                  • 79.134.225.73
                                                  11.exeGet hashmaliciousBrowse
                                                  • 79.134.225.40
                                                  V8IB839cvz.exeGet hashmaliciousBrowse
                                                  • 79.134.225.25
                                                  A2PlnLyOA7.exeGet hashmaliciousBrowse
                                                  • 79.134.225.90
                                                  PDF 209467_9377363745_378341152.exeGet hashmaliciousBrowse
                                                  • 79.134.225.11
                                                  v4nJnRl1gt.exeGet hashmaliciousBrowse
                                                  • 79.134.225.9
                                                  Invoice#282730.exeGet hashmaliciousBrowse
                                                  • 79.134.225.9
                                                  Urban Receipt.exeGet hashmaliciousBrowse
                                                  • 79.134.225.9

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\c3yBu1IF57.exe.log
                                                  Process:C:\Users\user\Desktop\c3yBu1IF57.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):525
                                                  Entropy (8bit):5.2874233355119316
                                                  Encrypted:false
                                                  SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                  MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                  SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                  SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                  SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                  C:\Users\user\AppData\Local\Temp\tmp24AD.tmp
                                                  Process:C:\Users\user\Desktop\c3yBu1IF57.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1300
                                                  Entropy (8bit):5.1223050895148425
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Naxtn:cbk4oL600QydbQxIYODOLedq3zj
                                                  MD5:3497D83793A24831446ADB5229803ACB
                                                  SHA1:92D84903CE397DEBB29CB41E1D85B01016664C1E
                                                  SHA-256:9C2CD2A62649CA1506354C439137A0BD9FA28521FD9786EF786CECB84BE72ED5
                                                  SHA-512:43D70CB9DB623E59A29045248C516D267979B9C0EE955D08CDDB8A4BDA9E2DD2C02B890C9D53C62D5B5B8E0648D6C521041E253074769D23D73F402851C70BA1
                                                  Malicious:true
                                                  Reputation:low
                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                  Process:C:\Users\user\Desktop\c3yBu1IF57.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2728
                                                  Entropy (8bit):7.094528505897445
                                                  Encrypted:false
                                                  SSDEEP:48:Ik/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH87:ft3Ucrt3Ucrt3Ucrt3Ucrt3Ucrt3UcrN
                                                  MD5:3F16EC9869DEDFFEC07792CA71B87AB5
                                                  SHA1:124F3AAEB04E11DEA7361736CE472750D237D3D2
                                                  SHA-256:1A187F3EF38284FF4EE2B20D6021C884E42FC72284F2DA858D7E389CE9C7D0E9
                                                  SHA-512:8DDE0277C2F8CF1CEF64B1EDF120C4A239619FBE9513C833C94B9A429984ECB8AD2A346FD9E333270207951021CCB0CA08FFCDF2ADE538AAFC2B5FAAA1ADF0A2
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.
                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                  Process:C:\Users\user\Desktop\c3yBu1IF57.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8
                                                  Entropy (8bit):3.0
                                                  Encrypted:false
                                                  SSDEEP:3:FmF:IF
                                                  MD5:2758CC201B8FC3F181975D9C7FD76AF8
                                                  SHA1:72156F42778929C21864DBC28642B55094F05DF8
                                                  SHA-256:1D93C878DCE046A43BE9BB33B734C47E3EB28BC3A068A4C418D182ACF9CA17C7
                                                  SHA-512:4F7BA4F6C79125E48826696616B34BD342E43350DCD5A9BA7DF8460C8E7E9BDB83481A16E3CEFBAB69E762EFD684BC71137DBE3AE849D43E46F10F59467EDEB6
                                                  Malicious:true
                                                  Reputation:low
                                                  Preview: 6..P.+.H
                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                  Process:C:\Users\user\Desktop\c3yBu1IF57.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):37
                                                  Entropy (8bit):4.5944564061110205
                                                  Encrypted:false
                                                  SSDEEP:3:oNWXp5vGDBsAC:oNWXpFGGAC
                                                  MD5:B4549BC5ECDA1FE84F136E4F546A84E2
                                                  SHA1:6EEBA80994809E87805272806320170458403EA3
                                                  SHA-256:3894566F927E085853A06BAB39B68A050C3CFD164E1C13267F1EBABE040536F4
                                                  SHA-512:68548AC66042C49BB52921392520172A043F86D2CC9D0C8A497D951BFFDE78B3076EE25BFB69C2ECD877B09F24448E34F8082E5F8F222D809854A77D834D36EB
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview: C:\Users\user\Desktop\c3yBu1IF57.exe

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.476735179147602
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:c3yBu1IF57.exe
                                                  File size:215040
                                                  MD5:04f4a27d282ec9ea66549f35b6ff0559
                                                  SHA1:8b8f849c58baa0b439c74310986d6702e45ea118
                                                  SHA256:4da007eb010d6b86861eced1f00ec48423dedc7aec6b0f7942e668c16ebe82d3
                                                  SHA512:6365c4d2b7da6468dbc524d5ac6703c61c8d70fe30fdd1dc432cd6dae71f48f921e13154d159594d6e5e327fc68709732cad35a626a1584677bcec676a10a969
                                                  SSDEEP:3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI/HAeptZlcVzYSU+bE12N93Kv:gLV6Bta6dtJmakIM5/ep3lSzV57fK
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................~........... ........@.. .....................................................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x41e792
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                  DLL Characteristics:
                                                  Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v2.0.50727
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x17a98.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x1c7980x1c800False0.594512404057data6.5980802599IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .reloc0x200000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x220000x17a980x17c00False0.997152549342data7.99762154799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_RCDATA0x220580x17a40TIM image, (44765,55830)

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  06/09/21-00:15:11.597880TCP2025019ET TROJAN Possible NanoCore C2 60B4971244322192.168.2.379.134.225.92
                                                  06/09/21-00:15:18.008471TCP2025019ET TROJAN Possible NanoCore C2 60B4971944322192.168.2.379.134.225.92
                                                  06/09/21-00:15:24.952094TCP2025019ET TROJAN Possible NanoCore C2 60B4972544322192.168.2.379.134.225.92
                                                  06/09/21-00:15:31.813106TCP2025019ET TROJAN Possible NanoCore C2 60B4972644322192.168.2.379.134.225.92
                                                  06/09/21-00:15:38.228294TCP2025019ET TROJAN Possible NanoCore C2 60B4972844322192.168.2.379.134.225.92
                                                  06/09/21-00:15:44.621663TCP2025019ET TROJAN Possible NanoCore C2 60B4973344322192.168.2.379.134.225.92
                                                  06/09/21-00:15:51.058775TCP2025019ET TROJAN Possible NanoCore C2 60B4973444322192.168.2.379.134.225.92
                                                  06/09/21-00:15:56.135293TCP2025019ET TROJAN Possible NanoCore C2 60B4973544322192.168.2.379.134.225.92
                                                  06/09/21-00:16:03.688404TCP2025019ET TROJAN Possible NanoCore C2 60B4973744322192.168.2.379.134.225.92
                                                  06/09/21-00:16:10.109966TCP2025019ET TROJAN Possible NanoCore C2 60B4973844322192.168.2.379.134.225.92
                                                  06/09/21-00:16:17.616791TCP2025019ET TROJAN Possible NanoCore C2 60B4973944322192.168.2.379.134.225.92
                                                  06/09/21-00:16:23.859860TCP2025019ET TROJAN Possible NanoCore C2 60B4974744322192.168.2.379.134.225.92
                                                  06/09/21-00:16:30.211817TCP2025019ET TROJAN Possible NanoCore C2 60B4974844322192.168.2.379.134.225.92
                                                  06/09/21-00:16:36.435451TCP2025019ET TROJAN Possible NanoCore C2 60B4974944322192.168.2.379.134.225.92
                                                  06/09/21-00:16:42.677464TCP2025019ET TROJAN Possible NanoCore C2 60B4975044322192.168.2.379.134.225.92
                                                  06/09/21-00:16:48.996299TCP2025019ET TROJAN Possible NanoCore C2 60B4975144322192.168.2.379.134.225.92
                                                  06/09/21-00:16:53.788174TCP2025019ET TROJAN Possible NanoCore C2 60B4975344322192.168.2.379.134.225.92
                                                  06/09/21-00:16:59.940102TCP2025019ET TROJAN Possible NanoCore C2 60B4975544322192.168.2.379.134.225.92
                                                  06/09/21-00:17:06.143024TCP2025019ET TROJAN Possible NanoCore C2 60B4975644322192.168.2.379.134.225.92
                                                  06/09/21-00:17:12.310339TCP2025019ET TROJAN Possible NanoCore C2 60B4975744322192.168.2.379.134.225.92

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 9, 2021 00:15:11.309904099 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:11.560128927 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:11.561336040 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:11.597879887 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:11.870323896 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:11.870440960 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:12.171389103 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:12.171494007 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:12.420974970 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:12.421119928 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:12.722937107 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:12.723181009 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.019876957 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.019953966 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.073664904 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.074338913 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.074342966 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.074404955 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.075112104 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.075222969 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.076101065 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.076337099 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.321774960 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.321857929 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.324940920 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.324965000 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.324980021 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.325020075 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.325067043 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.325090885 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.325613022 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.326056004 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.326359034 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.326447010 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.327445984 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.327533007 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.489357948 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.569498062 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.569570065 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.570208073 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.570285082 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.572215080 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.572320938 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.572812080 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.573215961 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.573594093 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.573672056 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.574419975 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.574568033 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.575392008 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.575448036 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.576183081 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.576293945 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.576939106 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.576994896 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.577852011 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.577909946 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.578629017 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.578699112 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.579500914 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.579583883 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.580383062 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.580971003 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.581156969 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.581229925 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.581886053 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.581970930 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:13.582798004 CEST443224971279.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:13.582843065 CEST4971244322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:17.757499933 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:18.006788015 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:18.007100105 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:18.008471012 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:18.278209925 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:18.278307915 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:18.573607922 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:18.573678970 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:18.821806908 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:18.821923018 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.123908997 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:19.124083042 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.419181108 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:19.419298887 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.480206966 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:19.480511904 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.481163025 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:19.481229067 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.482212067 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:19.482297897 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.482605934 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:19.482661009 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.719279051 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:19.719367027 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.733937979 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:19.734313965 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.734476089 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:19.734529972 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.735394001 CEST443224971979.134.225.92192.168.2.3
                                                  Jun 9, 2021 00:15:19.735462904 CEST4971944322192.168.2.379.134.225.92
                                                  Jun 9, 2021 00:15:19.736257076 CEST443224971979.134.225.92192.168.2.3

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 9, 2021 00:15:02.257741928 CEST5128153192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:02.323740005 CEST53512818.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:03.133455038 CEST4919953192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:03.178972006 CEST53491998.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:04.365871906 CEST5062053192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:04.410206079 CEST53506208.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:04.688997030 CEST6493853192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:04.735039949 CEST53649388.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:05.243149042 CEST6015253192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:05.289751053 CEST53601528.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:06.185790062 CEST5754453192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:06.230818033 CEST53575448.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:07.694277048 CEST5598453192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:07.739286900 CEST53559848.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:08.695139885 CEST6418553192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:08.739052057 CEST53641858.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:09.743963957 CEST6511053192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:09.789443016 CEST53651108.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:10.684238911 CEST5836153192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:10.729120970 CEST53583618.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:11.246614933 CEST6349253192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:11.296870947 CEST53634928.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:11.664140940 CEST6083153192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:11.710047007 CEST53608318.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:12.621160984 CEST6010053192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:12.663906097 CEST53601008.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:13.886800051 CEST5319553192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:13.929312944 CEST53531958.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:14.829626083 CEST5014153192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:14.874387026 CEST53501418.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:16.312695980 CEST5302353192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:16.355226040 CEST53530238.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:17.249448061 CEST4956353192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:17.292012930 CEST53495638.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:17.691190958 CEST5135253192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:17.739301920 CEST53513528.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:18.243572950 CEST5934953192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:18.286621094 CEST53593498.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:19.468381882 CEST5708453192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:19.514467001 CEST53570848.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:20.583888054 CEST5882353192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:20.629206896 CEST53588238.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:21.489816904 CEST5756853192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:21.536145926 CEST53575688.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:22.550771952 CEST5054053192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:22.596771002 CEST53505408.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:24.650753975 CEST5436653192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:24.695622921 CEST53543668.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:31.516273975 CEST5303453192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:31.564423084 CEST53530348.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:37.908292055 CEST5776253192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:37.957299948 CEST53577628.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:39.621148109 CEST5543553192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:39.691246033 CEST53554358.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:39.744646072 CEST5071353192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:39.795563936 CEST53507138.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:44.292639971 CEST5613253192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:44.371109009 CEST53561328.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:50.761687994 CEST5898753192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:50.810390949 CEST53589878.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:15:55.837618113 CEST5657953192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:15:55.882657051 CEST53565798.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:02.981570959 CEST6063353192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:03.043020010 CEST53606338.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:03.390366077 CEST6129253192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:03.436137915 CEST53612928.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:09.809451103 CEST6361953192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:09.855406046 CEST53636198.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:17.290998936 CEST6493853192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:17.333616972 CEST53649388.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:17.496148109 CEST6194653192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:17.540611029 CEST53619468.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:23.177007914 CEST6491053192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:23.222788095 CEST53649108.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:23.543833971 CEST5212353192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:23.589648962 CEST53521238.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:29.900594950 CEST5613053192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:29.952039003 CEST53561308.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:36.141757011 CEST5633853192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:36.184793949 CEST53563388.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:42.384780884 CEST5942053192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:42.427835941 CEST53594208.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:48.694340944 CEST5878453192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:48.740958929 CEST53587848.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:52.682358027 CEST6397853192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:52.726300955 CEST53639788.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:53.488142967 CEST6293853192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:53.533478022 CEST53629388.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:54.182907104 CEST5570853192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:54.228655100 CEST53557088.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:16:59.643735886 CEST5680353192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:16:59.687155962 CEST53568038.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:17:05.843000889 CEST5714553192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:17:05.887877941 CEST53571458.8.8.8192.168.2.3
                                                  Jun 9, 2021 00:17:12.014848948 CEST5535953192.168.2.38.8.8.8
                                                  Jun 9, 2021 00:17:12.059387922 CEST53553598.8.8.8192.168.2.3

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Jun 9, 2021 00:15:11.246614933 CEST192.168.2.38.8.8.80xec49Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:17.691190958 CEST192.168.2.38.8.8.80x1a2dStandard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:24.650753975 CEST192.168.2.38.8.8.80x8ae4Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:31.516273975 CEST192.168.2.38.8.8.80x52c3Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:37.908292055 CEST192.168.2.38.8.8.80x2134Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:44.292639971 CEST192.168.2.38.8.8.80x32caStandard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:50.761687994 CEST192.168.2.38.8.8.80x2877Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:55.837618113 CEST192.168.2.38.8.8.80x1fe7Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:03.390366077 CEST192.168.2.38.8.8.80xfc7aStandard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:09.809451103 CEST192.168.2.38.8.8.80x93e6Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:17.290998936 CEST192.168.2.38.8.8.80x391cStandard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:23.543833971 CEST192.168.2.38.8.8.80xc552Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:29.900594950 CEST192.168.2.38.8.8.80x1174Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:36.141757011 CEST192.168.2.38.8.8.80xc8ceStandard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:42.384780884 CEST192.168.2.38.8.8.80x88daStandard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:48.694340944 CEST192.168.2.38.8.8.80xdff8Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:53.488142967 CEST192.168.2.38.8.8.80x280eStandard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:59.643735886 CEST192.168.2.38.8.8.80x5846Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:17:05.843000889 CEST192.168.2.38.8.8.80x6d15Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:17:12.014848948 CEST192.168.2.38.8.8.80xfc9Standard query (0)sawitupnew.expackplc.clubA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Jun 9, 2021 00:15:11.296870947 CEST8.8.8.8192.168.2.30xec49No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:17.739301920 CEST8.8.8.8192.168.2.30x1a2dNo error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:24.695622921 CEST8.8.8.8192.168.2.30x8ae4No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:31.564423084 CEST8.8.8.8192.168.2.30x52c3No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:37.957299948 CEST8.8.8.8192.168.2.30x2134No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:44.371109009 CEST8.8.8.8192.168.2.30x32caNo error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:50.810390949 CEST8.8.8.8192.168.2.30x2877No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:15:55.882657051 CEST8.8.8.8192.168.2.30x1fe7No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:03.436137915 CEST8.8.8.8192.168.2.30xfc7aNo error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:09.855406046 CEST8.8.8.8192.168.2.30x93e6No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:17.333616972 CEST8.8.8.8192.168.2.30x391cNo error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:23.589648962 CEST8.8.8.8192.168.2.30xc552No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:29.952039003 CEST8.8.8.8192.168.2.30x1174No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:36.184793949 CEST8.8.8.8192.168.2.30xc8ceNo error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:42.427835941 CEST8.8.8.8192.168.2.30x88daNo error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:48.740958929 CEST8.8.8.8192.168.2.30xdff8No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:53.533478022 CEST8.8.8.8192.168.2.30x280eNo error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:16:59.687155962 CEST8.8.8.8192.168.2.30x5846No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:17:05.887877941 CEST8.8.8.8192.168.2.30x6d15No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)
                                                  Jun 9, 2021 00:17:12.059387922 CEST8.8.8.8192.168.2.30xfc9No error (0)sawitupnew.expackplc.club79.134.225.92A (IP address)IN (0x0001)

                                                  Code Manipulations

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  Analysis Process: c3yBu1IF57.exe PID: 5564 Parent PID: 5764

                                                  General

                                                  Start time:00:15:08
                                                  Start date:09/06/2021
                                                  Path:C:\Users\user\Desktop\c3yBu1IF57.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\c3yBu1IF57.exe'
                                                  Imagebase:0xe20000
                                                  File size:215040 bytes
                                                  MD5 hash:04F4A27D282EC9EA66549F35B6FF0559
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.198137342.0000000000E22000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Reputation:low

                                                  Analysis Process: schtasks.exe PID: 5408 Parent PID: 5564

                                                  General

                                                  Start time:00:15:09
                                                  Start date:09/06/2021
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp24AD.tmp'
                                                  Imagebase:0x13e0000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Analysis Process: conhost.exe PID: 1240 Parent PID: 5408

                                                  General

                                                  Start time:00:15:09
                                                  Start date:09/06/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6b2800000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Analysis Process: c3yBu1IF57.exe PID: 6080 Parent PID: 528

                                                  General

                                                  Start time:00:15:11
                                                  Start date:09/06/2021
                                                  Path:C:\Users\user\Desktop\c3yBu1IF57.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\c3yBu1IF57.exe 0
                                                  Imagebase:0x3b0000
                                                  File size:215040 bytes
                                                  MD5 hash:04F4A27D282EC9EA66549F35B6FF0559
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.204561377.00000000003B2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.219125636.0000000002971000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.218347398.00000000003B2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.219165813.0000000003971000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.219165813.0000000003971000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Reputation:low

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >