Source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp |
Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f9198f9a-66a7-4bba-ab1c-dff8091c", "Group": "Default", "Domain1": "tzitziklishop.ddns.net", "Domain2": "tzitziklishop.ddns.net", "Port": 1665, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "37.235.1.177", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"} |
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe |
ReversingLabs: Detection: 36% |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe |
ReversingLabs: Detection: 36% |
Source: C:\Users\user\AppData\Roaming\cat464923.exe |
ReversingLabs: Detection: 36% |
Source: Yara match |
File source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY |
Source: Yara match |
File source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE |
Source: 18.0.smtpsvc.exe.400000.4.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 17.0.smtpsvc.exe.400000.2.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 17.0.smtpsvc.exe.400000.4.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 16.2.cat464923.exe.400000.0.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 5.2.cat464923.exe.400000.1.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 16.0.cat464923.exe.400000.1.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 5.0.cat464923.exe.400000.1.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 16.0.cat464923.exe.400000.3.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 17.2.smtpsvc.exe.400000.1.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 18.0.smtpsvc.exe.400000.2.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 5.2.cat464923.exe.4a0000.5.unpack |
Avira: Label: TR/NanoCore.fadte |
Source: 18.2.smtpsvc.exe.400000.1.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 5.0.cat464923.exe.400000.3.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: |
Binary string: symbols\dll\System.pdb source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp |
Source: |
Binary string: j,C:\Windows\System.pdb@#P source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp |
Source: |
Binary string: C:\Users\Administrator\Desktop\Client\Temp\geNROzYNTy\src\obj\Debug\grlL.pdb source: smtpsvc.exe |
Source: |
Binary string: .pdbD source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp |
Source: |
Binary string: grlL.pdb0 source: cat464923.exe, 00000005.00000002.2347577380.000000000055D000.00000004.00000020.sdmp |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49168 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 103.133.106.117:1665 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49181 -> 103.133.106.117:1665 |