Loading ...

Play interactive tourEdit tour

Analysis Report kyIfnzzg3E.exe

Overview

General Information

Sample Name:kyIfnzzg3E.exe
Analysis ID:431751
MD5:eb43b3c033bd76b51b90a51a6726a81c
SHA1:0d39ffcf64ed4f38ea83a72d726d40881f583014
SHA256:4e9a5cc90f1d17550208942e0182e9a99598c18c19b3467c184a46f4214755e2
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • kyIfnzzg3E.exe (PID: 5860 cmdline: 'C:\Users\user\Desktop\kyIfnzzg3E.exe' MD5: EB43B3C033BD76B51B90A51A6726A81C)
    • RegAsm.exe (PID: 3636 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 4276 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
kyIfnzzg3E.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\win33.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.250699387.00000000001D2000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000007.00000002.461789098.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xff8d:$x1: NanoCore.ClientPluginHost
        • 0xffca:$x2: IClientNetworkHost
        • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        00000007.00000002.461789098.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          00000007.00000002.461789098.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfcf5:$a: NanoCore
          • 0xfd05:$a: NanoCore
          • 0xff39:$a: NanoCore
          • 0xff4d:$a: NanoCore
          • 0xff8d:$a: NanoCore
          • 0xfd54:$b: ClientPlugin
          • 0xff56:$b: ClientPlugin
          • 0xff96:$b: ClientPlugin
          • 0xfe7b:$c: ProjectData
          • 0x10882:$d: DESCrypto
          • 0x1824e:$e: KeepAlive
          • 0x1623c:$g: LogClientMessage
          • 0x12437:$i: get_Connected
          • 0x10bb8:$j: #=q
          • 0x10be8:$j: #=q
          • 0x10c04:$j: #=q
          • 0x10c34:$j: #=q
          • 0x10c50:$j: #=q
          • 0x10c6c:$j: #=q
          • 0x10c9c:$j: #=q
          • 0x10cb8:$j: #=q
          00000000.00000002.251456849.0000000002561000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.0.RegAsm.exe.400000.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0x1018d:$x1: NanoCore.ClientPluginHost
            • 0x101ca:$x2: IClientNetworkHost
            • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            7.0.RegAsm.exe.400000.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xff05:$x1: NanoCore Client.exe
            • 0x1018d:$x2: NanoCore.ClientPluginHost
            • 0x117c6:$s1: PluginCommand
            • 0x117ba:$s2: FileCommand
            • 0x1266b:$s3: PipeExists
            • 0x18422:$s4: PipeCreated
            • 0x101b7:$s5: IClientLoggingHost
            7.0.RegAsm.exe.400000.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              7.0.RegAsm.exe.400000.3.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0xfef5:$a: NanoCore
              • 0xff05:$a: NanoCore
              • 0x10139:$a: NanoCore
              • 0x1014d:$a: NanoCore
              • 0x1018d:$a: NanoCore
              • 0xff54:$b: ClientPlugin
              • 0x10156:$b: ClientPlugin
              • 0x10196:$b: ClientPlugin
              • 0x1007b:$c: ProjectData
              • 0x10a82:$d: DESCrypto
              • 0x1844e:$e: KeepAlive
              • 0x1643c:$g: LogClientMessage
              • 0x12637:$i: get_Connected
              • 0x10db8:$j: #=q
              • 0x10de8:$j: #=q
              • 0x10e04:$j: #=q
              • 0x10e34:$j: #=q
              • 0x10e50:$j: #=q
              • 0x10e6c:$j: #=q
              • 0x10e9c:$j: #=q
              • 0x10eb8:$j: #=q
              0.0.kyIfnzzg3E.exe.1d0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                Click to see the 39 entries

                Sigma Overview

                AV Detection:

                barindex
                Sigma detected: NanoCoreShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 4276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                E-Banking Fraud:

                barindex
                Sigma detected: NanoCoreShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 4276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                System Summary:

                barindex
                Sigma detected: Suspicious Process Start Without DLLShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\kyIfnzzg3E.exe' , ParentImage: C:\Users\user\Desktop\kyIfnzzg3E.exe, ParentProcessId: 5860, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 3636
                Sigma detected: Possible Applocker BypassShow sources
                Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\kyIfnzzg3E.exe' , ParentImage: C:\Users\user\Desktop\kyIfnzzg3E.exe, ParentProcessId: 5860, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 3636

                Stealing of Sensitive Information:

                barindex
                Sigma detected: NanoCoreShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 4276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                Remote Access Functionality:

                barindex
                Sigma detected: NanoCoreShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 4276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 7.0.RegAsm.exe.400000.3.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
                Multi AV Scanner detection for domain / URLShow sources
                Source: wekeepworking.sytes.netVirustotal: Detection: 7%Perma Link
                Source: wekeepworking.sytes.netVirustotal: Detection: 7%Perma Link
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\win33.exeReversingLabs: Detection: 30%
                Multi AV Scanner detection for submitted fileShow sources
                Source: kyIfnzzg3E.exeVirustotal: Detection: 39%Perma Link
                Source: kyIfnzzg3E.exeReversingLabs: Detection: 30%
                Yara detected Nanocore RATShow sources
                Source: Yara matchFile source: 00000007.00000002.461789098.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.249612191.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.252649732.00000000037D6000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.249317743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.251887619.0000000003645000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.251765887.0000000003561000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4276, type: MEMORY
                Source: Yara matchFile source: 7.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.36e6e20.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.3736e40.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.36bee00.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.38d7c88.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.3736e40.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.38d7c88.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.36bee00.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.36e6e20.3.raw.unpack, type: UNPACKEDPE
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\win33.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: kyIfnzzg3E.exeJoe Sandbox ML: detected
                Source: 7.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                Source: 7.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                Source: 7.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                Source: kyIfnzzg3E.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: kyIfnzzg3E.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.0.dr
                Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000005.00000000.247162877.00000000000A2000.00000002.00020000.sdmp, RegAsm.exe, 00000007.00000000.249672602.0000000000BF2000.00000002.00020000.sdmp, RegAsm.exe.0.dr
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_04DDCC90
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh0_2_04DDCDA8
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 4x nop then jmp 04DD614Fh0_2_04DD595D
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_04F5D6D8

                Networking:

                barindex
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: wekeepworking.sytes.net
                Source: Malware configuration extractorURLs: wekeepworking12.sytes.net
                Source: global trafficTCP traffic: 192.168.2.3:49722 -> 79.134.225.90:1144
                Source: Joe Sandbox ViewIP Address: 79.134.225.90 79.134.225.90
                Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
                Source: unknownDNS traffic detected: queries for: wekeepworking.sytes.net

                E-Banking Fraud:

                barindex
                Yara detected Nanocore RATShow sources
                Source: Yara matchFile source: 00000007.00000002.461789098.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.249612191.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.252649732.00000000037D6000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.249317743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.251887619.0000000003645000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.251765887.0000000003561000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4276, type: MEMORY
                Source: Yara matchFile source: 7.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.36e6e20.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.3736e40.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.36bee00.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.38d7c88.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.3736e40.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.38d7c88.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.36bee00.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.kyIfnzzg3E.exe.36e6e20.3.raw.unpack, type: UNPACKEDPE

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000007.00000002.461789098.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 00000007.00000002.461789098.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000007.00000000.249612191.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 00000007.00000000.249612191.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.252649732.00000000037D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 00000000.00000002.252649732.00000000037D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000007.00000000.249317743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 00000007.00000000.249317743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.251887619.0000000003645000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 00000000.00000002.251887619.0000000003645000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.251765887.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 00000000.00000002.251765887.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: Process Memory Space: RegAsm.exe PID: 4276, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: Process Memory Space: RegAsm.exe PID: 4276, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 7.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 7.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.kyIfnzzg3E.exe.36e6e20.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 0.2.kyIfnzzg3E.exe.36e6e20.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.kyIfnzzg3E.exe.3736e40.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 0.2.kyIfnzzg3E.exe.3736e40.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.kyIfnzzg3E.exe.36bee00.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 0.2.kyIfnzzg3E.exe.36bee00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 7.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 7.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.kyIfnzzg3E.exe.38d7c88.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 0.2.kyIfnzzg3E.exe.38d7c88.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.kyIfnzzg3E.exe.3736e40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 0.2.kyIfnzzg3E.exe.3736e40.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.kyIfnzzg3E.exe.38d7c88.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 0.2.kyIfnzzg3E.exe.38d7c88.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.kyIfnzzg3E.exe.36bee00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 0.2.kyIfnzzg3E.exe.36bee00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.kyIfnzzg3E.exe.36e6e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 0.2.kyIfnzzg3E.exe.36e6e20.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_00BEE4A80_2_00BEE4A8
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_00BE3DD00_2_00BE3DD0
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_00BE3DC00_2_00BE3DC0
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_00BE46D80_2_00BE46D8
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_00BE46CA0_2_00BE46CA
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_04DD00400_2_04DD0040
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_04DD00070_2_04DD0007
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_04DD51880_2_04DD5188
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_04DD51780_2_04DD5178
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_04DD492E0_2_04DD492E
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_04DD72500_2_04DD7250
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_04DD72080_2_04DD7208
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_04F500400_2_04F50040
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_04F500060_2_04F50006
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeCode function: 0_2_00BEAA780_2_00BEAA78
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_000A3DFE5_2_000A3DFE
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 7_2_00BF3DFE7_2_00BF3DFE
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                Source: kyIfnzzg3E.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: kyIfnzzg3E.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: kyIfnzzg3E.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: win33.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: win33.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: win33.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: kyIfnzzg3E.exe, 00000000.00000002.251360548.0000000002410000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs kyIfnzzg3E.exe
                Source: kyIfnzzg3E.exe, 00000000.00000002.251729227.0000000002629000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs kyIfnzzg3E.exe
                Source: kyIfnzzg3E.exe, 00000000.00000002.251729227.0000000002629000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs kyIfnzzg3E.exe
                Source: kyIfnzzg3E.exe, 00000000.00000002.251352952.0000000002400000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs kyIfnzzg3E.exe
                Source: kyIfnzzg3E.exe, 00000000.00000002.250795419.0000000000276000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenewww.exe$ vs kyIfnzzg3E.exe
                Source: kyIfnzzg3E.exe, 00000000.00000002.254711254.0000000004A40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs kyIfnzzg3E.exe
                Source: kyIfnzzg3E.exe, 00000000.00000002.254907133.0000000004BB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRzvqtiwk.dll" vs kyIfnzzg3E.exe
                Source: kyIfnzzg3E.exeBinary or memory string: OriginalFilenamenewww.exe$ vs kyIfnzzg3E.exe
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: kyIfnzzg3E.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: 00000007.00000002.461789098.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 00000007.00000002.461789098.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 00000007.00000000.249612191.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 00000007.00000000.249612191.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 00000000.00000002.252649732.00000000037D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 00000000.00000002.252649732.00000000037D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 00000007.00000000.249317743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 00000007.00000000.249317743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 00000000.00000002.251887619.0000000003645000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 00000000.00000002.251887619.0000000003645000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 00000000.00000002.251765887.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 00000000.00000002.251765887.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: Process Memory Space: RegAsm.exe PID: 4276, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: Process Memory Space: RegAsm.exe PID: 4276, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 7.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 7.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 7.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 0.2.kyIfnzzg3E.exe.36e6e20.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 0.2.kyIfnzzg3E.exe.36e6e20.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.kyIfnzzg3E.exe.36e6e20.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 0.2.kyIfnzzg3E.exe.3736e40.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 0.2.kyIfnzzg3E.exe.3736e40.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.kyIfnzzg3E.exe.3736e40.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 0.2.kyIfnzzg3E.exe.36bee00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 0.2.kyIfnzzg3E.exe.36bee00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.kyIfnzzg3E.exe.36bee00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 7.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 7.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 7.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 0.2.kyIfnzzg3E.exe.38d7c88.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 0.2.kyIfnzzg3E.exe.38d7c88.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.kyIfnzzg3E.exe.38d7c88.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 0.2.kyIfnzzg3E.exe.3736e40.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 0.2.kyIfnzzg3E.exe.3736e40.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.kyIfnzzg3E.exe.3736e40.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 0.2.kyIfnzzg3E.exe.38d7c88.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 0.2.kyIfnzzg3E.exe.38d7c88.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.kyIfnzzg3E.exe.38d7c88.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 0.2.kyIfnzzg3E.exe.36bee00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 0.2.kyIfnzzg3E.exe.36bee00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 0.2.kyIfnzzg3E.exe.36e6e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 0.2.kyIfnzzg3E.exe.36e6e20.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: kyIfnzzg3E.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: win33.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 7.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 7.0.RegAsm.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
                Source: 7.0.RegAsm.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
                Source: 7.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 7.0.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
                Source: 7.0.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
                Source: 7.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 7.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
                Source: 7.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
                Source: 7.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 7.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 7.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 7.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 7.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 7.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@39/1
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeFile created: C:\Users\user\AppData\Roaming\win33.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4614bd42-26c0-4da0-8e09-16890d37c1d7}
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
                Source: kyIfnzzg3E.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: kyIfnzzg3E.exeVirustotal: Detection: 39%
                Source: kyIfnzzg3E.exeReversingLabs: Detection: 30%
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeFile read: C:\Users\user\Desktop\kyIfnzzg3E.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\kyIfnzzg3E.exe 'C:\Users\user\Desktop\kyIfnzzg3E.exe'
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
                Source: C:\Users\user\Desktop\kyIfnzzg3E.exeProcess created: C:\Users\user\AppData\Local\Te