Loading ...

Play interactive tourEdit tour

Analysis Report ZVFVY7NwZ7.exe

Overview

General Information

Sample Name:ZVFVY7NwZ7.exe
Analysis ID:431812
MD5:8e87de15cd3da1245b9c7b0e48c0f126
SHA1:80830909ec859ed61811329ae16888cb87e1ed5f
SHA256:ec850202f17a8e7f5a04603e9c70ab21d7b39fb3142a79098aef1d592974702e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ZVFVY7NwZ7.exe (PID: 2220 cmdline: 'C:\Users\user\Desktop\ZVFVY7NwZ7.exe' MD5: 8E87DE15CD3DA1245B9C7B0E48C0F126)
    • wscript.exe (PID: 1784 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • powershell.exe (PID: 3016 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ZVFVY7NwZ7.exe (PID: 5612 cmdline: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe MD5: 8E87DE15CD3DA1245B9C7B0E48C0F126)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1049d:$x1: NanoCore.ClientPluginHost
  • 0x104da:$x2: IClientNetworkHost
  • 0x1400d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10205:$a: NanoCore
    • 0x10215:$a: NanoCore
    • 0x10449:$a: NanoCore
    • 0x1045d:$a: NanoCore
    • 0x1049d:$a: NanoCore
    • 0x10264:$b: ClientPlugin
    • 0x10466:$b: ClientPlugin
    • 0x104a6:$b: ClientPlugin
    • 0x1038b:$c: ProjectData
    • 0x10d92:$d: DESCrypto
    • 0x1875e:$e: KeepAlive
    • 0x1674c:$g: LogClientMessage
    • 0x12947:$i: get_Connected
    • 0x110c8:$j: #=q
    • 0x110f8:$j: #=q
    • 0x11114:$j: #=q
    • 0x11144:$j: #=q
    • 0x11160:$j: #=q
    • 0x1117c:$j: #=q
    • 0x111ac:$j: #=q
    • 0x111c8:$j: #=q
    0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2205:$x1: NanoCore.ClientPluginHost
    • 0x223e:$x2: IClientNetworkHost
    0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2205:$x2: NanoCore.ClientPluginHost
    • 0x2320:$s4: PipeCreated
    • 0x221f:$s5: IClientLoggingHost
    Click to see the 50 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    13.2.ZVFVY7NwZ7.exe.6400000.14.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x605:$x1: NanoCore.ClientPluginHost
    • 0x63e:$x2: IClientNetworkHost
    13.2.ZVFVY7NwZ7.exe.6400000.14.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x605:$x2: NanoCore.ClientPluginHost
    • 0x720:$s4: PipeCreated
    • 0x61f:$s5: IClientLoggingHost
    13.2.ZVFVY7NwZ7.exe.674e8a4.25.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10937:$x1: NanoCore.ClientPluginHost
    • 0x10951:$x2: IClientNetworkHost
    13.2.ZVFVY7NwZ7.exe.674e8a4.25.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x10937:$x2: NanoCore.ClientPluginHost
    • 0x13c74:$s4: PipeCreated
    • 0x10924:$s5: IClientLoggingHost
    13.2.ZVFVY7NwZ7.exe.6480000.19.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x170b:$x1: NanoCore.ClientPluginHost
    • 0x1725:$x2: IClientNetworkHost
    Click to see the 105 entries

    Sigma Overview

    AV Detection:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe, ProcessId: 5612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe, ProcessId: 5612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    System Summary:

    barindex
    Sigma detected: WScript or CScript DropperShow sources
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\ZVFVY7NwZ7.exe' , ParentImage: C:\Users\user\Desktop\ZVFVY7NwZ7.exe, ParentProcessId: 2220, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs' , ProcessId: 1784
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs' , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 1784, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe', ProcessId: 3016

    Stealing of Sensitive Information:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe, ProcessId: 5612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe, ProcessId: 5612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: ZVFVY7NwZ7.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exeAvira: detection malicious, Label: HEUR/AGEN.1129534
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exeAvira: detection malicious, Label: HEUR/AGEN.1129534
    Found malware configurationShow sources
    Source: 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Multi AV Scanner detection for domain / URLShow sources
    Source: wekeepworking.sytes.netVirustotal: Detection: 7%Perma Link
    Source: wekeepworking.sytes.netVirustotal: Detection: 7%Perma Link
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ZVFVY7NwZ7.exe PID: 5612, type: MEMORY
    Source: Yara matchFile source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: ZVFVY7NwZ7.exeJoe Sandbox ML: detected
    Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpackAvira: Label: TR/NanoCore.fadte
    Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: ZVFVY7NwZ7.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: ZVFVY7NwZ7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exeCode function: 4x nop then jmp 054A1AA4h0_2_054A1654
    Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]13_2_06440500
    Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]13_2_064404F0

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 79.134.225.90:1144
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 79.134.225.90:1144
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 79.134.225.90:1144
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 79.134.225.90:1144
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 79.134.225.90:1144
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 79.134.225.90:1144
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 79.134.225.90:1144
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 79.134.225.90:1144
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 79.134.225.90:1144
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: wekeepworking.sytes.net
    Source: Malware configuration extractorURLs: wekeepworking12.sytes.net
    Source: global trafficTCP traffic: 192.168.2.3:49727 -> 79.134.225.90:1144
    Source: Joe Sandbox ViewIP Address: 79.134.225.90 79.134.225.90
    Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
    Source: unknownDNS traffic detected: queries for: wekeepworking.sytes.net
    Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: ZVFVY7NwZ7.exeString found in binary or memory: http://schemas.microso
    Source: ZVFVY7NwZ7.exe, 00000000.00000002.333622797.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 0000000E.00000003.399210115.0000000007577000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: ZVFVY7NwZ7.exe, 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ZVFVY7NwZ7.exe PID: 5612, type: MEMORY
    Source: Yara matchFile source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.484800150.0000000006790000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.484337930.0000000006420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth