Play interactive tour

Edit tour

Analysis Report dYy3yfSkwY.exe

Overview

General Information

Sample Name:	dYy3yfSkwY.exe
Analysis ID:	432605
MD5:	3deb8b7e51c21cba0c2c723c5af953dd
SHA1:	f98809b1b883912d278f7eaf64d7eedfaee1ef5a
SHA256:	c0503f7c65391a5be8030bbaaf6c17260fa67e40a3fcc23b84c26610c266008b
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

dYy3yfSkwY.exe (PID: 6108 cmdline: 'C:\Users\user\Desktop\dYy3yfSkwY.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)

dYy3yfSkwY.exe (PID: 668 cmdline: 'C:\Users\user\Desktop\dYy3yfSkwY.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)

opjlpsercy.exe (PID: 3724 cmdline: 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)

opjlpsercy.exe (PID: 4520 cmdline: 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)

opjlpsercy.exe (PID: 5892 cmdline: 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x139f05:$a: NanoCore 0x139f5e:$a: NanoCore 0x139f9b:$a: NanoCore 0x13a014:$a: NanoCore 0x142ae8:$a: NanoCore 0x142b0d:$a: NanoCore 0x142b66:$a: NanoCore 0x152d03:$a: NanoCore 0x152d29:$a: NanoCore 0x152d85:$a: NanoCore 0x15fbda:$a: NanoCore 0x15fc33:$a: NanoCore 0x15fc66:$a: NanoCore 0x15fe92:$a: NanoCore 0x15ff0e:$a: NanoCore 0x160527:$a: NanoCore 0x160670:$a: NanoCore 0x160b44:$a: NanoCore 0x160e2b:$a: NanoCore 0x160e42:$a: NanoCore 0x1663e0:$a: NanoCore
0000000B.00000002.319549745.00000000028EE000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x196c7:$a: NanoCore 0x19720:$a: NanoCore 0x1975d:$a: NanoCore 0x197d6:$a: NanoCore 0x224e6:$a: NanoCore 0x2250b:$a: NanoCore 0x22564:$a: NanoCore 0x327a3:$a: NanoCore 0x327c9:$a: NanoCore 0x32825:$a: NanoCore 0x3f6c7:$a: NanoCore 0x3f720:$a: NanoCore 0x3f753:$a: NanoCore 0x3f97f:$a: NanoCore 0x3f9fb:$a: NanoCore 0x40014:$a: NanoCore 0x4015d:$a: NanoCore 0x40631:$a: NanoCore 0x40918:$a: NanoCore 0x4092f:$a: NanoCore 0x45fa9:$a: NanoCore
0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101ad:$x1: NanoCore.ClientPluginHost 0x101ea:$x2: IClientNetworkHost 0x13d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff15:$a: NanoCore 0xff25:$a: NanoCore 0x10159:$a: NanoCore 0x1016d:$a: NanoCore 0x101ad:$a: NanoCore 0xff74:$b: ClientPlugin 0x10176:$b: ClientPlugin 0x101b6:$b: ClientPlugin 0x1009b:$c: ProjectData 0x10aa2:$d: DESCrypto 0x1846e:$e: KeepAlive 0x1645c:$g: LogClientMessage 0x12657:$i: get_Connected 0x10dd8:$j: #=q 0x10e08:$j: #=q 0x10e24:$j: #=q 0x10e54:$j: #=q 0x10e70:$j: #=q 0x10e8c:$j: #=q 0x10ebc:$j: #=q 0x10ed8:$j: #=q
00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x122d3:$c: ProjectData 0x12cda:$d: DESCrypto 0x1a6a6:$e: KeepAlive 0x18694:$g: LogClientMessage 0x1488f:$i: get_Connected 0x13010:$j: #=q 0x13040:$j: #=q 0x1305c:$j: #=q 0x1308c:$j: #=q 0x130a8:$j: #=q 0x130c4:$j: #=q 0x130f4:$j: #=q 0x13110:$j: #=q
00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
Process Memory Space: opjlpsercy.exe PID: 3724	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1249d8:$x1: NanoCore.ClientPluginHost 0x124a39:$x2: IClientNetworkHost 0x129e3e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x137db0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: opjlpsercy.exe PID: 3724	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: opjlpsercy.exe PID: 3724	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1244dd:$a: NanoCore 0x1244f9:$a: NanoCore 0x124654:$a: NanoCore 0x124663:$a: NanoCore 0x12493c:$a: NanoCore 0x124968:$a: NanoCore 0x1249d8:$a: NanoCore 0x13441a:$a: NanoCore 0x13442c:$a: NanoCore 0x134468:$a: NanoCore 0x124584:$b: ClientPlugin 0x1246ad:$b: ClientPlugin 0x124971:$b: ClientPlugin 0x1249e1:$b: ClientPlugin 0x134435:$b: ClientPlugin 0x134471:$b: ClientPlugin 0x1247fa:$c: ProjectData 0x134367:$c: ProjectData 0x125936:$d: DESCrypto 0x134cc5:$d: DESCrypto 0x12fcc3:$e: KeepAlive
Process Memory Space: opjlpsercy.exe PID: 4520	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1cfa:$x1: NanoCore.ClientPluginHost 0x1411a:$x1: NanoCore.ClientPluginHost 0x3bf1d:$x1: NanoCore.ClientPluginHost 0x3ecea:$x1: NanoCore.ClientPluginHost 0x49604:$x1: NanoCore.ClientPluginHost 0x5c17f:$x1: NanoCore.ClientPluginHost 0x5eb69:$x1: NanoCore.ClientPluginHost 0x61fbe:$x1: NanoCore.ClientPluginHost 0x64ba9:$x1: NanoCore.ClientPluginHost 0x6bd4d:$x1: NanoCore.ClientPluginHost 0x70ba8:$x1: NanoCore.ClientPluginHost 0x7d382:$x1: NanoCore.ClientPluginHost 0x86e4d:$x1: NanoCore.ClientPluginHost 0xa97e1:$x1: NanoCore.ClientPluginHost 0xb819c:$x1: NanoCore.ClientPluginHost 0xc75fe:$x1: NanoCore.ClientPluginHost 0xe9f72:$x1: NanoCore.ClientPluginHost 0x104661:$x1: NanoCore.ClientPluginHost 0x1750eb:$x1: NanoCore.ClientPluginHost 0x177f46:$x1: NanoCore.ClientPluginHost 0x182862:$x1: NanoCore.ClientPluginHost
Process Memory Space: opjlpsercy.exe PID: 4520	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: opjlpsercy.exe PID: 4520	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1cfa:$a: NanoCore 0x2090:$a: NanoCore 0x21e1:$a: NanoCore 0x113e9:$a: NanoCore 0x114d8:$a: NanoCore 0x1411a:$a: NanoCore 0x144b0:$a: NanoCore 0x14601:$a: NanoCore 0x238ba:$a: NanoCore 0x239a9:$a: NanoCore 0x3be0f:$a: NanoCore 0x3beb0:$a: NanoCore 0x3bf1d:$a: NanoCore 0x3bfde:$a: NanoCore 0x3ceaf:$a: NanoCore 0x3cf02:$a: NanoCore 0x3cf3b:$a: NanoCore 0x3cfae:$a: NanoCore 0x3ecad:$a: NanoCore 0x3ecea:$a: NanoCore 0x3ed73:$a: NanoCore
Process Memory Space: dYy3yfSkwY.exe PID: 668	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1cb8:$x1: NanoCore.ClientPluginHost 0x2b95:$x2: IClientNetworkHost 0xf254:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dYy3yfSkwY.exe PID: 668	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dYy3yfSkwY.exe PID: 668	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1cb8:$a: NanoCore 0x204e:$a: NanoCore 0x219f:$a: NanoCore 0x11458:$a: NanoCore 0x11547:$a: NanoCore 0x1cc1:$b: ClientPlugin 0x21a8:$b: ClientPlugin 0x12369:$b: ClientPlugin 0x3673d:$b: ClientPlugin 0x5b56d:$b: ClientPlugin 0x9c9e2:$b: ClientPlugin 0x9ca14:$b: ClientPlugin 0x9ca45:$b: ClientPlugin 0x9ca9a:$b: ClientPlugin 0x9cacb:$b: ClientPlugin 0x9cafd:$b: ClientPlugin 0x9cb2f:$b: ClientPlugin 0x9cb84:$b: ClientPlugin 0x9cba9:$b: ClientPlugin 0x9cbfd:$b: ClientPlugin 0x9cc22:$b: ClientPlugin
Process Memory Space: dYy3yfSkwY.exe PID: 6108	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123dca:$x1: NanoCore.ClientPluginHost 0x123e2b:$x2: IClientNetworkHost 0x129230:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1371a2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dYy3yfSkwY.exe PID: 6108	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dYy3yfSkwY.exe PID: 6108	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1238cf:$a: NanoCore 0x1238eb:$a: NanoCore 0x123a46:$a: NanoCore 0x123a55:$a: NanoCore 0x123d2e:$a: NanoCore 0x123d5a:$a: NanoCore 0x123dca:$a: NanoCore 0x13380c:$a: NanoCore 0x13381e:$a: NanoCore 0x13385a:$a: NanoCore 0x123976:$b: ClientPlugin 0x123a9f:$b: ClientPlugin 0x123d63:$b: ClientPlugin 0x123dd3:$b: ClientPlugin 0x133827:$b: ClientPlugin 0x133863:$b: ClientPlugin 0x123bec:$c: ProjectData 0x133759:$c: ProjectData 0x124d28:$d: DESCrypto 0x1340b7:$d: DESCrypto 0x12f0b5:$e: KeepAlive
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.opjlpsercy.exe.3ab7184.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
11.2.opjlpsercy.exe.3ab7184.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
11.2.opjlpsercy.exe.290b950.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
11.2.opjlpsercy.exe.290b950.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
7.2.opjlpsercy.exe.9810000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.9810000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.9810000.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.2.opjlpsercy.exe.4a70000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.opjlpsercy.exe.4a70000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.opjlpsercy.exe.4a70000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.4a70000.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.opjlpsercy.exe.9821458.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.9821458.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.9821458.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.9821458.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.2.opjlpsercy.exe.4a70000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.opjlpsercy.exe.4a70000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.opjlpsercy.exe.4a70000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.4a70000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.opjlpsercy.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.opjlpsercy.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.1.opjlpsercy.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.1.opjlpsercy.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.1.opjlpsercy.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.1.opjlpsercy.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.opjlpsercy.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.opjlpsercy.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.opjlpsercy.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.2.opjlpsercy.exe.3ab7184.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d0e:$x1: NanoCore.ClientPluginHost 0x1c25c:$x1: NanoCore.ClientPluginHost 0x2222d:$x1: NanoCore.ClientPluginHost 0x2bc99:$x1: NanoCore.ClientPluginHost 0x360c4:$x1: NanoCore.ClientPluginHost 0x410a1:$x1: NanoCore.ClientPluginHost 0x4ce43:$x1: NanoCore.ClientPluginHost 0x6231b:$x1: NanoCore.ClientPluginHost 0x8a57d:$x1: NanoCore.ClientPluginHost 0x999bd:$x1: NanoCore.ClientPluginHost 0xb1859:$x1: NanoCore.ClientPluginHost 0xd9aa7:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d47:$x2: IClientNetworkHost 0x1c295:$x2: IClientNetworkHost 0x2bdf6:$x2: IClientNetworkHost 0x360fd:$x2: IClientNetworkHost 0x410bb:$x2: IClientNetworkHost 0x4ce5d:$x2: IClientNetworkHost 0x62348:$x2: IClientNetworkHost
11.2.opjlpsercy.exe.3ab7184.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.3ab7184.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1c25c:$a: NanoCore 0x1c2d6:$a: NanoCore 0x20e73:$a: NanoCore 0x2222d:$a: NanoCore 0x22277:$a: NanoCore 0x22ed1:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.1.dYy3yfSkwY.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.1.dYy3yfSkwY.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.1.dYy3yfSkwY.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
3.1.dYy3yfSkwY.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.opjlpsercy.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.opjlpsercy.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
3.1.dYy3yfSkwY.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.1.dYy3yfSkwY.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
3.1.dYy3yfSkwY.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.1.dYy3yfSkwY.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.2.opjlpsercy.exe.38e3258.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.opjlpsercy.exe.38e3258.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.opjlpsercy.exe.38e3258.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.38e3258.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.dYy3yfSkwY.exe.2180000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.dYy3yfSkwY.exe.2180000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.dYy3yfSkwY.exe.2180000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
11.2.opjlpsercy.exe.29068e8.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x9c23:$x1: NanoCore.ClientPluginHost 0x19ee1:$x1: NanoCore.ClientPluginHost 0x27097:$x1: NanoCore.ClientPluginHost 0x2d6c1:$x1: NanoCore.ClientPluginHost 0x336e0:$x1: NanoCore.ClientPluginHost 0x3d197:$x1: NanoCore.ClientPluginHost 0x4760f:$x1: NanoCore.ClientPluginHost 0x5274d:$x1: NanoCore.ClientPluginHost 0x5e53f:$x1: NanoCore.ClientPluginHost 0x6a39a:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9c4d:$x2: IClientNetworkHost 0x19f0e:$x2: IClientNetworkHost 0x270d0:$x2: IClientNetworkHost 0x2d6fa:$x2: IClientNetworkHost 0x3d2f4:$x2: IClientNetworkHost 0x47648:$x2: IClientNetworkHost 0x52767:$x2: IClientNetworkHost 0x5e559:$x2: IClientNetworkHost 0x6a3d7:$x2: IClientNetworkHost
11.2.opjlpsercy.exe.29068e8.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x9c23:$x2: NanoCore.ClientPluginHost 0x19ee1:$x2: NanoCore.ClientPluginHost 0x27097:$x2: NanoCore.ClientPluginHost 0x2d6c1:$x2: NanoCore.ClientPluginHost 0x336e0:$x2: NanoCore.ClientPluginHost 0x3d197:$x2: NanoCore.ClientPluginHost 0x4760f:$x2: NanoCore.ClientPluginHost 0x5274d:$x2: NanoCore.ClientPluginHost 0x5e53f:$x2: NanoCore.ClientPluginHost 0x6a39a:$x2: NanoCore.ClientPluginHost 0x1aeb0:$s2: FileCommand 0x1261:$s3: PipeExists 0x3e0ed:$s3: PipeExists 0x1136:$s4: PipeCreated 0xbad3:$s4: PipeCreated 0x1f8b2:$s4: PipeCreated 0x271b4:$s4: PipeCreated 0x2d7dc:$s4: PipeCreated 0x337be:$s4: PipeCreated 0x3d38d:$s4: PipeCreated
11.2.opjlpsercy.exe.29068e8.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x9bfe:$a: NanoCore 0x9c23:$a: NanoCore 0x9c7c:$a: NanoCore 0x19ebb:$a: NanoCore 0x19ee1:$a: NanoCore 0x19f3d:$a: NanoCore 0x26ddf:$a: NanoCore 0x26e38:$a: NanoCore 0x26e6b:$a: NanoCore 0x27097:$a: NanoCore 0x27113:$a: NanoCore 0x2772c:$a: NanoCore 0x27875:$a: NanoCore 0x27d49:$a: NanoCore 0x28030:$a: NanoCore 0x28047:$a: NanoCore 0x2d6c1:$a: NanoCore
11.2.opjlpsercy.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.opjlpsercy.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.opjlpsercy.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.1.opjlpsercy.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.1.opjlpsercy.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.1.opjlpsercy.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.1.opjlpsercy.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.2.opjlpsercy.exe.3aa6126.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x99e7:$x1: NanoCore.ClientPluginHost 0x19c03:$x1: NanoCore.ClientPluginHost 0x26d6c:$x1: NanoCore.ClientPluginHost 0x2d2ba:$x1: NanoCore.ClientPluginHost 0x3328b:$x1: NanoCore.ClientPluginHost 0x3ccf7:$x1: NanoCore.ClientPluginHost 0x47122:$x1: NanoCore.ClientPluginHost 0x520ff:$x1: NanoCore.ClientPluginHost 0x5dea1:$x1: NanoCore.ClientPluginHost 0x73379:$x1: NanoCore.ClientPluginHost 0x9b5db:$x1: NanoCore.ClientPluginHost 0xaaa1b:$x1: NanoCore.ClientPluginHost 0xc28b7:$x1: NanoCore.ClientPluginHost 0xeab05:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9a11:$x2: IClientNetworkHost 0x19c30:$x2: IClientNetworkHost 0x26da5:$x2: IClientNetworkHost 0x2d2f3:$x2: IClientNetworkHost 0x3ce54:$x2: IClientNetworkHost
11.2.opjlpsercy.exe.3aa6126.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.3aa6126.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99c2:$a: NanoCore 0x99e7:$a: NanoCore 0x9a40:$a: NanoCore 0x19bdd:$a: NanoCore 0x19c03:$a: NanoCore 0x19c5f:$a: NanoCore 0x26ab4:$a: NanoCore 0x26b0d:$a: NanoCore 0x26b40:$a: NanoCore 0x26d6c:$a: NanoCore 0x26de8:$a: NanoCore 0x27401:$a: NanoCore 0x2754a:$a: NanoCore 0x27a1e:$a: NanoCore 0x27d05:$a: NanoCore 0x27d1c:$a: NanoCore 0x2d2ba:$a: NanoCore
11.2.opjlpsercy.exe.2917c24.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
11.2.opjlpsercy.exe.2917c24.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
11.2.opjlpsercy.exe.3aaaf52.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
11.2.opjlpsercy.exe.3aaaf52.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
7.2.opjlpsercy.exe.9810000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.9810000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.9810000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
11.1.opjlpsercy.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.1.opjlpsercy.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.1.opjlpsercy.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.2.opjlpsercy.exe.38e3258.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.opjlpsercy.exe.38e3258.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.opjlpsercy.exe.38e3258.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.38e3258.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.opjlpsercy.exe.9821458.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.9821458.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.9821458.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.9821458.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.1.dYy3yfSkwY.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.1.dYy3yfSkwY.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.1.dYy3yfSkwY.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.2.opjlpsercy.exe.290b950.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e79:$x1: NanoCore.ClientPluginHost 0x2202f:$x1: NanoCore.ClientPluginHost 0x28659:$x1: NanoCore.ClientPluginHost 0x2e678:$x1: NanoCore.ClientPluginHost 0x3812f:$x1: NanoCore.ClientPluginHost 0x425a7:$x1: NanoCore.ClientPluginHost 0x4d6e5:$x1: NanoCore.ClientPluginHost 0x594d7:$x1: NanoCore.ClientPluginHost 0x65332:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14ea6:$x2: IClientNetworkHost 0x22068:$x2: IClientNetworkHost 0x28692:$x2: IClientNetworkHost 0x3828c:$x2: IClientNetworkHost 0x425e0:$x2: IClientNetworkHost 0x4d6ff:$x2: IClientNetworkHost 0x594f1:$x2: IClientNetworkHost 0x6536f:$x2: IClientNetworkHost
11.2.opjlpsercy.exe.290b950.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e79:$x2: NanoCore.ClientPluginHost 0x2202f:$x2: NanoCore.ClientPluginHost 0x28659:$x2: NanoCore.ClientPluginHost 0x2e678:$x2: NanoCore.ClientPluginHost 0x3812f:$x2: NanoCore.ClientPluginHost 0x425a7:$x2: NanoCore.ClientPluginHost 0x4d6e5:$x2: NanoCore.ClientPluginHost 0x594d7:$x2: NanoCore.ClientPluginHost 0x65332:$x2: NanoCore.ClientPluginHost 0x15e48:$s2: FileCommand 0x39085:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a84a:$s4: PipeCreated 0x2214c:$s4: PipeCreated 0x28774:$s4: PipeCreated 0x2e756:$s4: PipeCreated 0x38325:$s4: PipeCreated 0x426f2:$s4: PipeCreated 0x4e71a:$s4: PipeCreated 0x5b282:$s4: PipeCreated
11.2.opjlpsercy.exe.290b950.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14e53:$a: NanoCore 0x14e79:$a: NanoCore 0x14ed5:$a: NanoCore 0x21d77:$a: NanoCore 0x21dd0:$a: NanoCore 0x21e03:$a: NanoCore 0x2202f:$a: NanoCore 0x220ab:$a: NanoCore 0x226c4:$a: NanoCore 0x2280d:$a: NanoCore 0x22ce1:$a: NanoCore 0x22fc8:$a: NanoCore 0x22fdf:$a: NanoCore 0x28659:$a: NanoCore 0x286d3:$a: NanoCore 0x2e678:$a: NanoCore 0x2e6c2:$a: NanoCore 0x2f31c:$a: NanoCore
0.2.dYy3yfSkwY.exe.2191458.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.dYy3yfSkwY.exe.2191458.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.dYy3yfSkwY.exe.2191458.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.dYy3yfSkwY.exe.2191458.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.2.opjlpsercy.exe.2917c24.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d5b:$x1: NanoCore.ClientPluginHost 0x1c385:$x1: NanoCore.ClientPluginHost 0x223a4:$x1: NanoCore.ClientPluginHost 0x2be5b:$x1: NanoCore.ClientPluginHost 0x362d3:$x1: NanoCore.ClientPluginHost 0x41411:$x1: NanoCore.ClientPluginHost 0x4d203:$x1: NanoCore.ClientPluginHost 0x5905e:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d94:$x2: IClientNetworkHost 0x1c3be:$x2: IClientNetworkHost 0x2bfb8:$x2: IClientNetworkHost 0x3630c:$x2: IClientNetworkHost 0x4142b:$x2: IClientNetworkHost 0x4d21d:$x2: IClientNetworkHost 0x5909b:$x2: IClientNetworkHost
11.2.opjlpsercy.exe.2917c24.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d5b:$x2: NanoCore.ClientPluginHost 0x1c385:$x2: NanoCore.ClientPluginHost 0x223a4:$x2: NanoCore.ClientPluginHost 0x2be5b:$x2: NanoCore.ClientPluginHost 0x362d3:$x2: NanoCore.ClientPluginHost 0x41411:$x2: NanoCore.ClientPluginHost 0x4d203:$x2: NanoCore.ClientPluginHost 0x5905e:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x2cdb1:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e78:$s4: PipeCreated 0x1c4a0:$s4: PipeCreated 0x22482:$s4: PipeCreated 0x2c051:$s4: PipeCreated 0x3641e:$s4: PipeCreated 0x42446:$s4: PipeCreated 0x4efae:$s4: PipeCreated 0x5c4b1:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
11.2.opjlpsercy.exe.2917c24.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15aa3:$a: NanoCore 0x15afc:$a: NanoCore 0x15b2f:$a: NanoCore 0x15d5b:$a: NanoCore 0x15dd7:$a: NanoCore 0x163f0:$a: NanoCore 0x16539:$a: NanoCore 0x16a0d:$a: NanoCore 0x16cf4:$a: NanoCore 0x16d0b:$a: NanoCore 0x1c385:$a: NanoCore 0x1c3ff:$a: NanoCore 0x223a4:$a: NanoCore 0x223ee:$a: NanoCore 0x23048:$a: NanoCore 0x2be5b:$a: NanoCore 0x2bf45:$a: NanoCore 0x2cdbc:$a: NanoCore
11.2.opjlpsercy.exe.4b00000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.opjlpsercy.exe.4b00000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.opjlpsercy.exe.4b00000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.4b00000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14dd7:$x1: NanoCore.ClientPluginHost 0x21f40:$x1: NanoCore.ClientPluginHost 0x2848e:$x1: NanoCore.ClientPluginHost 0x2e45f:$x1: NanoCore.ClientPluginHost 0x37ecb:$x1: NanoCore.ClientPluginHost 0x422f6:$x1: NanoCore.ClientPluginHost 0x4d2d3:$x1: NanoCore.ClientPluginHost 0x59075:$x1: NanoCore.ClientPluginHost 0x6e54d:$x1: NanoCore.ClientPluginHost 0x967af:$x1: NanoCore.ClientPluginHost 0xa5bef:$x1: NanoCore.ClientPluginHost 0xbda8b:$x1: NanoCore.ClientPluginHost 0xe5cd9:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e04:$x2: IClientNetworkHost 0x21f79:$x2: IClientNetworkHost 0x284c7:$x2: IClientNetworkHost 0x38028:$x2: IClientNetworkHost 0x4232f:$x2: IClientNetworkHost 0x4d2ed:$x2: IClientNetworkHost
11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x2848e:$a: NanoCore 0x28508:$a: NanoCore 0x2d0a5:$a: NanoCore 0x2e45f:$a: NanoCore 0x2e4a9:$a: NanoCore
Click to see the 105 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\dYy3yfSkwY.exe, ProcessId: 668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\dYy3yfSkwY.exe, ProcessId: 668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\dYy3yfSkwY.exe, ProcessId: 668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\dYy3yfSkwY.exe, ProcessId: 668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for domain / URL

Show sources

Source: wekeepworking.sytes.net	Virustotal: Detection: 7%			Perma Link
Source: wekeepworking.sytes.net	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Show sources

Source: dYy3yfSkwY.exe	Virustotal: Detection: 19%			Perma Link
Source: dYy3yfSkwY.exe	ReversingLabs: Detection: 34%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 3724, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 4520, type: MEMORY
Source: Yara match	File source: Process Memory Space: dYy3yfSkwY.exe PID: 668, type: MEMORY
Source: Yara match	File source: Process Memory Space: dYy3yfSkwY.exe PID: 6108, type: MEMORY
Source: Yara match	File source: 7.2.opjlpsercy.exe.9810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4a70000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9821458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4a70000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3ab7184.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.38e3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2180000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3aa6126.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.38e3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9821458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2191458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4b00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: dYy3yfSkwY.exe

Joe Sandbox ML: detected

Source: 0.2.dYy3yfSkwY.exe.9920000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.opjlpsercy.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.opjlpsercy.exe.40ff3e.2.unpack	Avira: Label: ADWARE/Patched.Ren.Gen7
Source: 11.1.opjlpsercy.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.dYy3yfSkwY.exe.40ff3e.2.unpack	Avira: Label: ADWARE/Patched.Ren.Gen7
Source: 3.1.dYy3yfSkwY.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.opjlpsercy.exe.4b00000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe

Unpacked PE file: 11.2.opjlpsercy.exe.400000.0.unpack

Source: dYy3yfSkwY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: wntdll.pdbUGP source: dYy3yfSkwY.exe, 00000000.00000003.246656563.0000000009D50000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000003.296059729.0000000009A40000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: dYy3yfSkwY.exe, 00000000.00000003.246656563.0000000009D50000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000003.296059729.0000000009A40000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb` source: dYy3yfSkwY.exe, 00000003.00000003.314381355.00000000059AD000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_0040263E FindFirstFileA,
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 3_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 14_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 14_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 14_2_0040263E FindFirstFileA,

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: wekeepworking.sytes.net
Source: Malware configuration extractor	URLs: wekeepworking12.sytes.net

Source: global traffic

TCP traffic: 192.168.2.7:49722 -> 79.134.225.90:1144

Source: Joe Sandbox View

IP Address: 79.134.225.90 79.134.225.90

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown

DNS traffic detected: queries for: wekeepworking.sytes.net

Source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: opjlpsercy.exe, opjlpsercy.exe, 0000000E.00000002.498586317.0000000000409000.00000004.00020000.sdmp, dYy3yfSkwY.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: dYy3yfSkwY.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 3724, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 4520, type: MEMORY
Source: Yara match	File source: Process Memory Space: dYy3yfSkwY.exe PID: 668, type: MEMORY
Source: Yara match	File source: Process Memory Space: dYy3yfSkwY.exe PID: 6108, type: MEMORY
Source: Yara match	File source: 7.2.opjlpsercy.exe.9810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4a70000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9821458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4a70000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3ab7184.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.38e3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2180000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3aa6126.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.38e3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9821458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2191458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4b00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.319549745.00000000028EE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: opjlpsercy.exe PID: 3724, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: opjlpsercy.exe PID: 3724, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: opjlpsercy.exe PID: 4520, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: opjlpsercy.exe PID: 4520, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dYy3yfSkwY.exe PID: 668, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dYy3yfSkwY.exe PID: 668, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dYy3yfSkwY.exe PID: 6108, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dYy3yfSkwY.exe PID: 6108, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.3ab7184.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.290b950.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.9810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.9810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.4a70000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.4a70000.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.9821458.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.9821458.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.4a70000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.4a70000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.3ab7184.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.3ab7184.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.1.dYy3yfSkwY.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.dYy3yfSkwY.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.dYy3yfSkwY.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.1.dYy3yfSkwY.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.38e3258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.38e3258.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.dYy3yfSkwY.exe.2180000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.dYy3yfSkwY.exe.2180000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.29068e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.29068e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.3aa6126.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.3aa6126.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.2917c24.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.3aaaf52.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.9810000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.9810000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.38e3258.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.38e3258.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.9821458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.9821458.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.dYy3yfSkwY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.1.dYy3yfSkwY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.290b950.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.290b950.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.dYy3yfSkwY.exe.2191458.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.dYy3yfSkwY.exe.2191458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.2917c24.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.2917c24.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 14_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_00404853
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_00406131
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_72C01A98
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 3_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_6D991A98
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_024623A0
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_02462FA8
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_0246306F
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 14_2_00404853
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 14_2_00406131

Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: String function: 0040569E appears 36 times

Source: dYy3yfSkwY.exe, 00000000.00000003.250569725.0000000009F0F000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs dYy3yfSkwY.exe

Source: dYy3yfSkwY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.319549745.00000000028EE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: opjlpsercy.exe PID: 3724, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: opjlpsercy.exe PID: 3724, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: opjlpsercy.exe PID: 4520, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: opjlpsercy.exe PID: 4520, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dYy3yfSkwY.exe PID: 668, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dYy3yfSkwY.exe PID: 668, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dYy3yfSkwY.exe PID: 6108, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dYy3yfSkwY.exe PID: 6108, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.3ab7184.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.3ab7184.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.290b950.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.290b950.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.9810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.9810000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.4a70000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.4a70000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.4a70000.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.9821458.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.9821458.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.9821458.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.4a70000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.4a70000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.4a70000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.3ab7184.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.3ab7184.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.1.dYy3yfSkwY.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.1.dYy3yfSkwY.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.1.dYy3yfSkwY.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.1.dYy3yfSkwY.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.1.dYy3yfSkwY.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.1.dYy3yfSkwY.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.38e3258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.38e3258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.38e3258.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.dYy3yfSkwY.exe.2180000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.dYy3yfSkwY.exe.2180000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.29068e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.29068e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.29068e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.3aa6126.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.3aa6126.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.2917c24.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.2917c24.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.3aaaf52.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.3aaaf52.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.9810000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.9810000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.38e3258.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.38e3258.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.38e3258.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.9821458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.9821458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.9821458.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.1.dYy3yfSkwY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.1.dYy3yfSkwY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.290b950.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.290b950.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.290b950.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.dYy3yfSkwY.exe.2191458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.dYy3yfSkwY.exe.2191458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.dYy3yfSkwY.exe.2191458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.2917c24.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.2917c24.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.2917c24.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/13@58/1

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 3_1_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

File created: C:\Users\user\AppData\Roaming\monsuyajo

Jump to behavior

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4614bd42-26c0-4da0-8e09-16890d37c1d7}

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsz21ED.tmp

Jump to behavior

Source: dYy3yfSkwY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: dYy3yfSkwY.exe	Virustotal: Detection: 19%
Source: dYy3yfSkwY.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

File read: C:\Users\user\Desktop\dYy3yfSkwY.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dYy3yfSkwY.exe 'C:\Users\user\Desktop\dYy3yfSkwY.exe'
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process created: C:\Users\user\Desktop\dYy3yfSkwY.exe 'C:\Users\user\Desktop\dYy3yfSkwY.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process created: C:\Users\user\Desktop\dYy3yfSkwY.exe 'C:\Users\user\Desktop\dYy3yfSkwY.exe'
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: wntdll.pdbUGP source: dYy3yfSkwY.exe, 00000000.00000003.246656563.0000000009D50000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000003.296059729.0000000009A40000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: dYy3yfSkwY.exe, 00000000.00000003.246656563.0000000009D50000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000003.296059729.0000000009A40000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb` source: dYy3yfSkwY.exe, 00000003.00000003.314381355.00000000059AD000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe

Unpacked PE file: 11.2.opjlpsercy.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe

Unpacked PE file: 11.2.opjlpsercy.exe.400000.0.unpack

.NET source code contains potential unpacker

Show sources

Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_72C02F60 push eax; ret
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 3_1_00401F16 push ecx; ret
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_6D992F60 push eax; ret
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_00401F16 push ecx; ret
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_1_00401F16 push ecx; ret

Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.2.opjlpsercy.exe.4b00000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	File created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	File created: C:\Users\user\AppData\Local\Temp\nso6CF2.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	File created: C:\Users\user\AppData\Local\Temp\nsz21EF.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ppeejliapu			Jump to behavior
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ppeejliapu			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

File opened: C:\Users\user\Desktop\dYy3yfSkwY.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Window / User API: foregroundWindowGot 466
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Window / User API: foregroundWindowGot 523

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe TID: 5000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe TID: 4772	Thread sleep time: -620000s >= -30000s
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe TID: 4352	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe TID: 6376	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe TID: 6364	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 0_2_0040263E FindFirstFileA,
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 3_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 14_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 14_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 14_2_0040263E FindFirstFileA,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 3_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 3_1_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_1_004035F1 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 3_1_004067FE GetProcessHeap,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 3_1_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 3_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 3_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Code function: 3_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_1_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 11_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Section loaded: unknown target: C:\Users\user\Desktop\dYy3yfSkwY.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Section loaded: unknown target: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe protection: execute and read and write

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe	Process created: C:\Users\user\Desktop\dYy3yfSkwY.exe 'C:\Users\user\Desktop\dYy3yfSkwY.exe'
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'

Source: opjlpsercy.exe, 0000000E.00000002.500745713.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: dYy3yfSkwY.exe, 00000003.00000003.335200967.0000000005983000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: opjlpsercy.exe, 0000000E.00000002.500745713.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: opjlpsercy.exe, 0000000E.00000002.500745713.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: dYy3yfSkwY.exe, 00000003.00000003.344875253.000000000073C000.00000004.00000001.sdmp	Binary or memory string: Program Managerknown.
Source: opjlpsercy.exe, 0000000E.00000002.500745713.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 3_1_0040208D cpuid

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 3_1_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,StrCmpNIW,lstrlenA,

Source: C:\Users\user\Desktop\dYy3yfSkwY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 3724, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 4520, type: MEMORY
Source: Yara match	File source: Process Memory Space: dYy3yfSkwY.exe PID: 668, type: MEMORY
Source: Yara match	File source: Process Memory Space: dYy3yfSkwY.exe PID: 6108, type: MEMORY
Source: Yara match	File source: 7.2.opjlpsercy.exe.9810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4a70000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9821458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4a70000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3ab7184.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.38e3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2180000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3aa6126.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.38e3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9821458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2191458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4b00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: dYy3yfSkwY.exe, 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dYy3yfSkwY.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: opjlpsercy.exe, 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: opjlpsercy.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: opjlpsercy.exe, 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 3724, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 4520, type: MEMORY
Source: Yara match	File source: Process Memory Space: dYy3yfSkwY.exe PID: 668, type: MEMORY
Source: Yara match	File source: Process Memory Space: dYy3yfSkwY.exe PID: 6108, type: MEMORY
Source: Yara match	File source: 7.2.opjlpsercy.exe.9810000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4a70000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9821458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4a70000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3ab7184.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.38e3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2180000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3aa6126.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9810000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.38e3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.9821458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.dYy3yfSkwY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dYy3yfSkwY.exe.2191458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.4b00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Registry Run Keys / Startup Folder1	Process Injection112	Disable or Modify Tools1	Input Capture11	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Deobfuscate/Decode Files or Information11	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	System Information Discovery15	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing31	NTDS	Security Software Discovery13	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion31	Cached Domain Credentials	Virtualization/Sandbox Evasion31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dYy3yfSkwY.exe	19%	Virustotal		Browse
dYy3yfSkwY.exe	35%	ReversingLabs	Win32.Trojan.NanoBot
dYy3yfSkwY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nso6CF2.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nso6CF2.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsz21EF.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsz21EF.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	35%	ReversingLabs	Win32.Trojan.NanoBot

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.dYy3yfSkwY.exe.9920000.6.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
7.0.opjlpsercy.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
11.0.opjlpsercy.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
11.2.opjlpsercy.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.dYy3yfSkwY.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
14.0.opjlpsercy.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
0.0.dYy3yfSkwY.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
7.2.opjlpsercy.exe.40ff3e.2.unpack	100%	Avira	ADWARE/Patched.Ren.Gen7	Download File
7.2.opjlpsercy.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
11.1.opjlpsercy.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.dYy3yfSkwY.exe.40ff3e.2.unpack	100%	Avira	ADWARE/Patched.Ren.Gen7	Download File
3.1.dYy3yfSkwY.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
11.2.opjlpsercy.exe.4b00000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.opjlpsercy.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
3.0.dYy3yfSkwY.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File

Domains

Source	Detection	Scanner	Label	Link
wekeepworking.sytes.net	8%	Virustotal		Browse
wekeepworking12.sytes.net	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
wekeepworking.sytes.net	8%	Virustotal		Browse
wekeepworking.sytes.net	0%	Avira URL Cloud	safe
wekeepworking12.sytes.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wekeepworking.sytes.net	79.134.225.90	true	true	8%, Virustotal, Browse	unknown
wekeepworking12.sytes.net	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wekeepworking.sytes.net	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
wekeepworking12.sytes.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	opjlpsercy.exe, opjlpsercy.exe, 0000000E.00000002.498586317.0000000000409000.00000004.00020000.sdmp, dYy3yfSkwY.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	dYy3yfSkwY.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.90	wekeepworking.sytes.net	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432605
Start date:	10.06.2021
Start time:	15:30:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	dYy3yfSkwY.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/13@58/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 77.4% (good quality ratio 72.2%) Quality average: 79.4% Quality standard deviation: 29.9%
HCA Information:	Successful, ratio: 80% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.103.5.159, 13.88.21.125, 204.79.197.200, 13.107.21.200, 23.211.6.115, 52.255.188.83, 13.64.90.137, 184.30.24.56, 20.82.210.154, 8.238.36.254, 8.238.85.254, 8.241.78.126, 8.238.30.126, 8.238.85.126, 51.103.5.186, 92.122.213.194, 92.122.213.247, 20.72.88.19, 20.75.105.140, 20.54.26.129, 20.49.157.6 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:31:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ppeejliapu C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
15:31:28	API Interceptor	870x Sleep call for process: dYy3yfSkwY.exe modified
15:31:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ppeejliapu C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
15:31:41	API Interceptor	1x Sleep call for process: opjlpsercy.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.90	Purchase Order Price List 061021.xlsx	Get hash	malicious	Browse
	ZVFVY7NwZ7.exe	Get hash	malicious	Browse
	kyIfnzzg3E.exe	Get hash	malicious	Browse
	Ref 0180066743.xlsx	Get hash	malicious	Browse
	AedJpyQ9lM.exe	Get hash	malicious	Browse
	Purchase Order Price List.xlsx	Get hash	malicious	Browse
	qdFDmi3Bhy.exe	Get hash	malicious	Browse
	A2PlnLyOA7.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.37013274.28794.exe	Get hash	malicious	Browse
	LOT_20210526.xlsx	Get hash	malicious	Browse
	Q2MAUt4mRO.exe	Get hash	malicious	Browse
	4fn66P5vkl.exe	Get hash	malicious	Browse
	P_O 00041221.xlsx	Get hash	malicious	Browse
	LOT_20210526.xlsx	Get hash	malicious	Browse
	Swift Copy.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wekeepworking.sytes.net	Purchase Order Price List 061021.xlsx	Get hash	malicious	Browse	79.134.225.90
	ZVFVY7NwZ7.exe	Get hash	malicious	Browse	79.134.225.90
	kyIfnzzg3E.exe	Get hash	malicious	Browse	79.134.225.90
	Ref 0180066743.xlsx	Get hash	malicious	Browse	79.134.225.90
	AedJpyQ9lM.exe	Get hash	malicious	Browse	79.134.225.90
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	79.134.225.90
	qdFDmi3Bhy.exe	Get hash	malicious	Browse	79.134.225.90
	A2PlnLyOA7.exe	Get hash	malicious	Browse	79.134.225.90
	SecuriteInfo.com.Trojan.GenericKD.37013274.28794.exe	Get hash	malicious	Browse	79.134.225.90
	LOT_20210526.xlsx	Get hash	malicious	Browse	79.134.225.90
	Q2MAUt4mRO.exe	Get hash	malicious	Browse	79.134.225.90
	4fn66P5vkl.exe	Get hash	malicious	Browse	79.134.225.90
	P_O 00041221.xlsx	Get hash	malicious	Browse	79.134.225.90
	LOT_20210526.xlsx	Get hash	malicious	Browse	79.134.225.90
	QI5MR3pte0.exe	Get hash	malicious	Browse	185.140.53.40
	5Em2NXNxSt.exe	Get hash	malicious	Browse	185.140.53.40
	7Zpsd899Kf.exe	Get hash	malicious	Browse	185.140.53.40
	LfgEatrwIF.exe	Get hash	malicious	Browse	185.140.53.40

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	Purchase Order Price List 061021.xlsx	Get hash	malicious	Browse	79.134.225.90
	ZVFVY7NwZ7.exe	Get hash	malicious	Browse	79.134.225.90
	0jyrU2E05S.exe	Get hash	malicious	Browse	79.134.225.72
	kyIfnzzg3E.exe	Get hash	malicious	Browse	79.134.225.90
	Ref 0180066743.xlsx	Get hash	malicious	Browse	79.134.225.90
	MS2106071066.exe	Get hash	malicious	Browse	79.134.225.71
	Kangean PO.doc	Get hash	malicious	Browse	79.134.225.72
	facture.jar	Get hash	malicious	Browse	79.134.225.69
	c3yBu1IF57.exe	Get hash	malicious	Browse	79.134.225.92
	DPSGNwkO1Z.exe	Get hash	malicious	Browse	79.134.225.25
	SecuriteInfo.com.Trojan.Win32.Save.a.16917.exe	Get hash	malicious	Browse	79.134.225.94
	AedJpyQ9lM.exe	Get hash	malicious	Browse	79.134.225.90
	H538065217Invoice.exe	Get hash	malicious	Browse	79.134.225.9
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	79.134.225.90
	P.I-84512.doc	Get hash	malicious	Browse	79.134.225.41
	l00VLAF9y0xQ9Vr.exe	Get hash	malicious	Browse	79.134.225.92
	Swift [ref QT #U2013 2102001-R2]pdf.exe	Get hash	malicious	Browse	79.134.225.10
	PO756654.exe	Get hash	malicious	Browse	79.134.225.99
	qdFDmi3Bhy.exe	Get hash	malicious	Browse	79.134.225.90
	br.exe	Get hash	malicious	Browse	79.134.225.73

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nso6CF2.tmp\System.dll	PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx	Get hash	malicious	Browse
	Purchase Order Price List 061021.xlsx	Get hash	malicious	Browse
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse
	UGGJ4NnzFz.exe	Get hash	malicious	Browse
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse
	3arZKnr21W.exe	Get hash	malicious	Browse
	Shipping receipt.exe	Get hash	malicious	Browse
	New Order TL273723734533.pdf.exe	Get hash	malicious	Browse
	YZ8OvkljWm.exe	Get hash	malicious	Browse
	U03c2doc.exe	Get hash	malicious	Browse
	QUOTE061021.exe	Get hash	malicious	Browse
	PAYMENT CONFIRMATION.exe	Get hash	malicious	Browse
	PO187439.exe	Get hash	malicious	Browse
	090009000000090.exe	Get hash	malicious	Browse
	NEWORDERLIST.exe	Get hash	malicious	Browse
	00404000004.exe	Get hash	malicious	Browse
	40900900090000.exe	Get hash	malicious	Browse
	INVO090090202.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.Injector.AIC.genEldorado.29599.exe	Get hash	malicious	Browse
	D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\opjlpsercy.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\eq64oqvr7vut3n4dt5cu Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	data
Category:	modified
Size (bytes):	616448
Entropy (8bit):	7.999692733314968
Encrypted:	true
SSDEEP:	12288:2Ph/JQuO9xgeB2Q54fr2dM4av0CGBmhFoqS3UDmhcOQV5eZTr:6diuMxgy6frQuv0L0hFoqSkDmhcOsS/
MD5:	7A73EF366D5F76E92D47C3064D0E3A26
SHA1:	C7638BBDAB4934280BD2A5F5B004623568BBD876
SHA-256:	55713D87E066560138EB389AB6FE3DB6EA642EB5C0149992FC99A38D09AA86B4
SHA-512:	908A167E2692BA331A06770A818FA9C2A7CB325374A2EEA086FB499B6069B6B7D0C6667D49BB49DDC5877B8A2BA22ABF9E0AF531A38487058CBBF7408D9C1906
Malicious:	false
Reputation:	low
Preview:	}.........e... 6..5Ckz...p.wB....}...e..O./r.5R..r.V..;]A.N..Jgmi...Z%r.R.)4...-4..pYG.q..by.......\|.=~_+xi.@N...+<.!.R.m.f~}..!.(C.......[.4@?1..._.l.5....l......+..cy..+]...U.u5...f.}n....t.F. =..$d..D...GX...0H..J6...J.BT..%...O..t.'P....f.....u..._<.f&(Z.K....^..W.?...?..k.k@...z.....O.R..N..JsI.)i.8n.:...k..`..]...,3.[j.{UE...>.Q.]J-...(..G~....%p...x...~.Gv...........t.........3..:U3.FG..$rr.)......_....2.!.o.B......~....'.x...c..V43....,].0L{.KIl0....d0...4.....#..._P.T+..ROQ...3..1.Z...)._.G,......>.`.......c.b]..B.....j....?..+.F..P?..........[p/\u.3..Q.j..d....<+...~S....t..:=Z...!U.)H..+.X..R.F.;E.w.k@G.pE[6..,.d....P.z...s.YQ..@..6....~M.f`....,-.l=..........:.(...j7..7p...P\|=...x..Kbl...........[..Y.s...FG.b.x...(.....Ol.)....,.p.....3jx..#X..2..q...G...W(D~r..KuoH...@Toi[....*h"g.e...=.<g..W/.4.~.Z..tH....H.i......;..om.C.5+S...E.........../.V.,..&\|...i....9W".~..&..,.?.w B.9......}....7&.JjFU.......E'.........

C:\Users\user\AppData\Local\Temp\fonknpk Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	data
Category:	dropped
Size (bytes):	60113
Entropy (8bit):	4.930356039937102
Encrypted:	false
SSDEEP:	1536:Fqa448V8tJKh6oKyLiTltDtnbBZdZzzzhxaWFg:0amCJKh6onaltDtn9nZzzWz
MD5:	E25AE6DAF4BB7B1AA0EF37BBC646B782
SHA1:	5C728BDBDC69527306370AECC6D5C268523F043B
SHA-256:	61CA2BDC62BD28E9B004B7F109F66FC8B0344A24FFDBF50EBBB0106A54865B01
SHA-512:	1A1DA41FDB905C7D54877E9E16F71FF37662BE2AB6A1C1E2AC46BC7600ECEB6323894839424C7A7A06C2FC366BB0A59F070BD56AD3CE1070335CBA56AB88051A
Malicious:	false
Reputation:	low
Preview:	U..!.......T...%.U...h.V...<.W...,.X...,.Y.....Z.....[...(.\.....]...n.^...0._...,.`.....a.....b...(.c.....d...(.e...x.f...#.g...,.h...,.i.....j.....k.....l...,.m...c.n.....o...d.p...<.q...,.r...,.s...,.t.....u.....v...H.w.....x.....y.....z.....{.....\|...d.}...,.~.........2.......................b.....,.....,...........................................................d.......................d.....'.....P.....c...........l...........,.....,.....,.......................+.....+.....+.................p.................l.....,...........2.................p.....b.....,.....,.................p.......................p.................l.......................l.....'.....P.....c.................$.....,.....,.....,.......................+.....+.....+.................x.......................,...........2.................x.....b.....,.....,.................x

C:\Users\user\AppData\Local\Temp\nso6CF1.tmp Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	data
Category:	dropped
Size (bytes):	709852
Entropy (8bit):	7.87001429899952
Encrypted:	false
SSDEEP:	12288:4Ph/JQuO9xgeB2Q54fr2dM4av0CGBmhFoqS3UDmhcOQV5eZTB6oI5BN:cdiuMxgy6frQuv0L0hFoqSkDmhcOsS98
MD5:	AEF5690996B3714098A9E0B69D9E5828
SHA1:	24B935683ECD3F3AF9F9EFE2620D6D05EFFED89C
SHA-256:	DBAADCC0481847BAB4237EDCF2F4990A047D5821BDFE186931103EAF17250101
SHA-512:	1F4A7C2FBD9553F7771B30CB907F7BAF3F4CF89450D9A79272250BA986CF92A249BE5E79827D332F709CEA8229EF37043F4236C626FDB82150EFD7AFE4D9DBED
Malicious:	false
Preview:	.S......,.......................T=.......S.......S..........................................................................................................................................................................................................................................J...................j...............................................................................................................................q.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nso6CF2.tmp\System.dll Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse Filename: 3arZKnr21W.exe, Detection: malicious, Browse Filename: Shipping receipt.exe, Detection: malicious, Browse Filename: New Order TL273723734533.pdf.exe, Detection: malicious, Browse Filename: YZ8OvkljWm.exe, Detection: malicious, Browse Filename: U03c2doc.exe, Detection: malicious, Browse Filename: QUOTE061021.exe, Detection: malicious, Browse Filename: PAYMENT CONFIRMATION.exe, Detection: malicious, Browse Filename: PO187439.exe, Detection: malicious, Browse Filename: 090009000000090.exe, Detection: malicious, Browse Filename: NEWORDERLIST.exe, Detection: malicious, Browse Filename: 00404000004.exe, Detection: malicious, Browse Filename: 40900900090000.exe, Detection: malicious, Browse Filename: INVO090090202.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.Injector.AIC.genEldorado.29599.exe, Detection: malicious, Browse Filename: D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsx8F4E.tmp Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	data
Category:	dropped
Size (bytes):	677854
Entropy (8bit):	7.91702747805609
Encrypted:	false
SSDEEP:	12288:4Ph/JQuO9xgeB2Q54fr2dM4av0CGBmhFoqS3UDmhcOQV5eZTB6oIL:cdiuMxgy6frQuv0L0hFoqSkDmhcOsS9a
MD5:	DD79AD8B5A51E756E3D0A2E149070DAA
SHA1:	9A999AE83C3078E311859D2AC02D97C8A95D4A51
SHA-256:	90B79E2B60E81A85EAFEA954724DD02BA7FAAF8CE63A3AD5C94BE5CDE5CE4256
SHA-512:	3F56D2AFEB344DC19DDEA59A8504366D1E118F2B4824CBC0E967D22BC2E616A726E7C846AABE7A3ED602B6328CB82A7338D4F97114DEC67FB896780A43E16D5F
Malicious:	false
Preview:	.S......,.......................T=.......S.......S..........................................................................................................................................................................................................................................J...................j...............................................................................................................................q.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz21EE.tmp Download File
Process:	C:\Users\user\Desktop\dYy3yfSkwY.exe
File Type:	data
Category:	dropped
Size (bytes):	709852
Entropy (8bit):	7.87001429899952
Encrypted:	false
SSDEEP:	12288:4Ph/JQuO9xgeB2Q54fr2dM4av0CGBmhFoqS3UDmhcOQV5eZTB6oI5BN:cdiuMxgy6frQuv0L0hFoqSkDmhcOsS98
MD5:	AEF5690996B3714098A9E0B69D9E5828
SHA1:	24B935683ECD3F3AF9F9EFE2620D6D05EFFED89C
SHA-256:	DBAADCC0481847BAB4237EDCF2F4990A047D5821BDFE186931103EAF17250101
SHA-512:	1F4A7C2FBD9553F7771B30CB907F7BAF3F4CF89450D9A79272250BA986CF92A249BE5E79827D332F709CEA8229EF37043F4236C626FDB82150EFD7AFE4D9DBED
Malicious:	false
Preview:	.S......,.......................T=.......S.......S..........................................................................................................................................................................................................................................J...................j...............................................................................................................................q.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz21EF.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\dYy3yfSkwY.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\dYy3yfSkwY.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:JR5tn:Rt
MD5:	537E946452ACB3A53CA8A63365818B7D
SHA1:	D0AB80082C59716C5C9A98284944590E5181BAE1
SHA-256:	F1C48C451E7B84D0CA328645EBBFCF632B9AA3ECAEE74FB36F3A84A2576B08FC
SHA-512:	2BF90A1A45B9F9A8351E3F1140C1D4151DABB3104F70C9C4A61F5CB43D0EECC1B2B6CD171A24899DDC1010ABA4BE450BFD46A101A3F7E05B86ED3935A5172763
Malicious:	true
Preview:	...\|_,.H

C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe Download File
Process:	C:\Users\user\Desktop\dYy3yfSkwY.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	modified
Size (bytes):	682684
Entropy (8bit):	7.985587248644902
Encrypted:	false
SSDEEP:	12288:y4Bwh6Ga/zhQmHMbNdSsTIDy5dX5Z6fdBUd+YiUjBumJBP4/MW:y4B/Ga/zhQ0MhTUCdX5Z6fd24YZjkmJy
MD5:	3DEB8B7E51C21CBA0C2C723C5AF953DD
SHA1:	F98809B1B883912D278F7EAF64D7EEDFAEE1EF5A
SHA-256:	C0503F7C65391A5BE8030BBAAF6C17260FA67E40A3FCC23B84C26610C266008B
SHA-512:	27B12686A9979FD2107806B3C923F5E616FEA6F9DBFA0DBC1516FEE88C330B3DD81C82794E20F085FDF324E1EA4EFF9B4A942E55FB19F13CE1DBE24074E76A94
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.985587248644902
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dYy3yfSkwY.exe
File size:	682684
MD5:	3deb8b7e51c21cba0c2c723c5af953dd
SHA1:	f98809b1b883912d278f7eaf64d7eedfaee1ef5a
SHA256:	c0503f7c65391a5be8030bbaaf6c17260fa67e40a3fcc23b84c26610c266008b
SHA512:	27b12686a9979fd2107806b3c923f5e616fea6f9dbfa0dbc1516fee88c330b3dd81c82794e20f085fdf324e1ea4eff9b4a942e55fb19f13ce1dbe24074e76a94
SSDEEP:	12288:y4Bwh6Ga/zhQmHMbNdSsTIDy5dX5Z6fdBUd+YiUjBumJBP4/MW:y4B/Ga/zhQ0MhTUCdX5Z6fd24YZjkmJy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x40323c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007EFCEC7B83BEh
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F458h
call dword ptr [00407158h]
push 004091B8h
push 004236A0h
call 00007EFCEC7B8071h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007EFCEC7B805Fh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007EFCEC7B57BCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007EFCEC7B7B52h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007EFCEC7B5815h
cmp cl, 00000020h
jne 00007EFCEC7B57B8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007EFCEC7B57ACh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x9e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a5a	0x5c00	False	0.660453464674	data	6.41769823686	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.4453125	data	5.18162709925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55859375	data	4.70902740305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x9e0	0xa00	False	0.45625	data	4.51012867721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c190	0x2e8	data	English	United States
RT_DIALOG	0x2c478	0x100	data	English	United States
RT_DIALOG	0x2c578	0x11c	data	English	United States
RT_DIALOG	0x2c698	0x60	data	English	United States
RT_GROUP_ICON	0x2c6f8	0x14	data	English	United States
RT_MANIFEST	0x2c710	0x2cc	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 15:31:32.256170034 CEST	49722	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:31:32.298551083 CEST	1144	49722	79.134.225.90	192.168.2.7
Jun 10, 2021 15:31:32.892158031 CEST	49722	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:31:32.938452959 CEST	1144	49722	79.134.225.90	192.168.2.7
Jun 10, 2021 15:31:33.595318079 CEST	49722	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:31:33.637559891 CEST	1144	49722	79.134.225.90	192.168.2.7
Jun 10, 2021 15:31:38.517224073 CEST	49726	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:31:38.559596062 CEST	1144	49726	79.134.225.90	192.168.2.7
Jun 10, 2021 15:31:39.174496889 CEST	49726	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:31:39.216864109 CEST	1144	49726	79.134.225.90	192.168.2.7
Jun 10, 2021 15:31:39.783345938 CEST	49726	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:31:39.825738907 CEST	1144	49726	79.134.225.90	192.168.2.7
Jun 10, 2021 15:31:44.200570107 CEST	49727	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:31:44.243030071 CEST	1144	49727	79.134.225.90	192.168.2.7
Jun 10, 2021 15:31:44.787401915 CEST	49727	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:31:44.830368996 CEST	1144	49727	79.134.225.90	192.168.2.7
Jun 10, 2021 15:31:45.397412062 CEST	49727	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:31:45.439717054 CEST	1144	49727	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:06.227036953 CEST	49732	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:06.269305944 CEST	1144	49732	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:06.785947084 CEST	49732	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:06.828233004 CEST	1144	49732	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:07.473495007 CEST	49732	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:07.515722036 CEST	1144	49732	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:11.718996048 CEST	49734	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:11.761199951 CEST	1144	49734	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:12.458354950 CEST	49734	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:12.500622034 CEST	1144	49734	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:13.052083969 CEST	49734	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:13.094351053 CEST	1144	49734	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:17.793564081 CEST	49738	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:17.835836887 CEST	1144	49738	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:18.474428892 CEST	49738	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:18.516717911 CEST	1144	49738	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:19.177577019 CEST	49738	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:19.219825029 CEST	1144	49738	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:38.670109987 CEST	49744	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:38.712363958 CEST	1144	49744	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:39.288662910 CEST	49744	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:39.331089973 CEST	1144	49744	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:39.835565090 CEST	49744	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:39.877747059 CEST	1144	49744	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:44.098090887 CEST	49745	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:44.140352011 CEST	1144	49745	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:44.648504972 CEST	49745	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:44.690763950 CEST	1144	49745	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:45.195491076 CEST	49745	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:45.239675045 CEST	1144	49745	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:49.354127884 CEST	49747	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:49.397049904 CEST	1144	49747	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:50.039633989 CEST	49747	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:50.081835985 CEST	1144	49747	79.134.225.90	192.168.2.7
Jun 10, 2021 15:32:50.649142027 CEST	49747	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:32:50.691443920 CEST	1144	49747	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:07.713429928 CEST	49758	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:07.756568909 CEST	1144	49758	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:08.259960890 CEST	49758	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:08.302097082 CEST	1144	49758	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:08.806840897 CEST	49758	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:08.849529028 CEST	1144	49758	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:12.967438936 CEST	49760	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:13.009537935 CEST	1144	49760	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:13.510713100 CEST	49760	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:13.553210020 CEST	1144	49760	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:14.057358980 CEST	49760	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:14.100600004 CEST	1144	49760	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:18.382356882 CEST	49761	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:18.424823999 CEST	1144	49761	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:18.932743073 CEST	49761	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:18.975100040 CEST	1144	49761	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:19.481445074 CEST	49761	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:19.524384975 CEST	1144	49761	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:37.387742996 CEST	49762	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:37.430013895 CEST	1144	49762	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:37.934243917 CEST	49762	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:37.976334095 CEST	1144	49762	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:38.481170893 CEST	49762	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:38.523412943 CEST	1144	49762	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:42.592185020 CEST	49763	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:42.635420084 CEST	1144	49763	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:43.137872934 CEST	49763	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:43.180259943 CEST	1144	49763	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:43.684914112 CEST	49763	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:43.727236986 CEST	1144	49763	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:47.794301987 CEST	49764	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:47.836405039 CEST	1144	49764	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:48.341409922 CEST	49764	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:48.383826971 CEST	1144	49764	79.134.225.90	192.168.2.7
Jun 10, 2021 15:33:48.900970936 CEST	49764	1144	192.168.2.7	79.134.225.90
Jun 10, 2021 15:33:48.943218946 CEST	1144	49764	79.134.225.90	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 15:31:09.740479946 CEST	56590	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:09.802063942 CEST	53	56590	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:09.883162022 CEST	60501	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:09.890121937 CEST	53775	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:09.940694094 CEST	53	53775	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:09.944700956 CEST	53	60501	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:10.568686008 CEST	51837	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:10.628315926 CEST	53	51837	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:11.021814108 CEST	55411	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:11.074650049 CEST	53	55411	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:11.882250071 CEST	63668	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:11.935273886 CEST	53	63668	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:12.798441887 CEST	54640	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:12.850076914 CEST	53	54640	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:13.890249968 CEST	58739	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:13.940596104 CEST	53	58739	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:15.300690889 CEST	60338	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:15.350857973 CEST	53	60338	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:16.270309925 CEST	58717	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:16.328941107 CEST	53	58717	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:17.423224926 CEST	59762	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:17.473433018 CEST	53	59762	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:18.508713961 CEST	54329	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:18.561316013 CEST	53	54329	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:19.659454107 CEST	58052	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:19.711213112 CEST	53	58052	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:20.854224920 CEST	54008	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:20.908163071 CEST	53	54008	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:21.731374979 CEST	59451	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:21.781802893 CEST	53	59451	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:22.975914955 CEST	52914	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:23.026335001 CEST	53	52914	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:23.770872116 CEST	64569	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:23.821301937 CEST	53	64569	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:25.417072058 CEST	52816	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:25.470490932 CEST	53	52816	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:26.555752993 CEST	50781	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:26.606208086 CEST	53	50781	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:27.949960947 CEST	54230	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:28.000865936 CEST	53	54230	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:28.952749014 CEST	54911	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:29.003180027 CEST	53	54911	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:30.239001989 CEST	49958	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:30.292411089 CEST	53	49958	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:31.213304996 CEST	50860	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:31.263319016 CEST	53	50860	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:32.181307077 CEST	50452	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:32.241700888 CEST	53	50452	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:32.318706036 CEST	59730	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:32.368755102 CEST	53	59730	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:33.951366901 CEST	59310	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:34.012972116 CEST	53	59310	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:38.392396927 CEST	51919	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:38.456140041 CEST	53	51919	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:44.103826046 CEST	64296	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:44.165118933 CEST	53	64296	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:50.121778965 CEST	56680	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:50.187407017 CEST	53	56680	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:50.405025959 CEST	58820	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:31:50.463737011 CEST	53	58820	8.8.4.4	192.168.2.7
Jun 10, 2021 15:31:51.727444887 CEST	60983	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:51.787632942 CEST	53	60983	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:54.240236044 CEST	49247	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:54.300666094 CEST	53	49247	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:56.567003012 CEST	52286	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:56.628379107 CEST	53	52286	8.8.8.8	192.168.2.7
Jun 10, 2021 15:31:56.670478106 CEST	56064	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:31:56.733058929 CEST	53	56064	8.8.4.4	192.168.2.7
Jun 10, 2021 15:31:57.163907051 CEST	63744	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:31:57.224091053 CEST	53	63744	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:01.350749016 CEST	61457	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:01.409303904 CEST	53	61457	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:01.448018074 CEST	58367	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:32:01.506397009 CEST	53	58367	8.8.4.4	192.168.2.7
Jun 10, 2021 15:32:01.741183043 CEST	60599	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:01.799926043 CEST	53	60599	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:04.091943979 CEST	59571	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:04.155689001 CEST	53	59571	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:06.151912928 CEST	52689	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:06.210746050 CEST	53	52689	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:06.367481947 CEST	50290	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:06.426503897 CEST	53	50290	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:11.659318924 CEST	60427	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:11.717715979 CEST	53	60427	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:14.530011892 CEST	56209	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:14.590982914 CEST	53	56209	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:17.732811928 CEST	59582	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:17.791794062 CEST	53	59582	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:23.874396086 CEST	60949	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:23.936460018 CEST	53	60949	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:24.386266947 CEST	58542	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:32:24.440260887 CEST	53	58542	8.8.4.4	192.168.2.7
Jun 10, 2021 15:32:24.450488091 CEST	59179	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:24.512348890 CEST	53	59179	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:29.021514893 CEST	60927	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:29.071624994 CEST	53	60927	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:29.627389908 CEST	57854	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:32:29.680424929 CEST	53	57854	8.8.4.4	192.168.2.7
Jun 10, 2021 15:32:30.022881985 CEST	62026	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:30.082581997 CEST	53	62026	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:31.405217886 CEST	59453	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:31.468714952 CEST	53	59453	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:34.235707998 CEST	62468	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:34.296143055 CEST	53	62468	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:34.343688965 CEST	52563	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:32:34.394994020 CEST	53	52563	8.8.4.4	192.168.2.7
Jun 10, 2021 15:32:34.449165106 CEST	54721	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:34.502379894 CEST	53	54721	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:38.559259892 CEST	62826	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:38.619369984 CEST	53	62826	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:44.031632900 CEST	62046	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:44.094465971 CEST	53	62046	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:49.139123917 CEST	51223	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:49.203449011 CEST	53	51223	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:49.292860985 CEST	63908	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:49.351901054 CEST	53	63908	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:50.428004026 CEST	49226	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:50.487853050 CEST	53	49226	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:51.227231026 CEST	60212	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:51.286628962 CEST	53	60212	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:51.499828100 CEST	58867	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:51.559743881 CEST	53	58867	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:52.368303061 CEST	50864	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:52.429727077 CEST	53	50864	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:53.433163881 CEST	61504	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:53.492062092 CEST	53	61504	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:54.548741102 CEST	60231	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:54.607161999 CEST	53	60231	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:54.726989031 CEST	50095	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:54.787355900 CEST	53	50095	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:54.834827900 CEST	59654	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:32:54.894740105 CEST	53	59654	8.8.4.4	192.168.2.7
Jun 10, 2021 15:32:54.959928989 CEST	58233	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:55.021729946 CEST	53	58233	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:55.823683023 CEST	56822	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:55.886241913 CEST	53	56822	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:57.232855082 CEST	62572	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:57.283457994 CEST	53	62572	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:58.623877048 CEST	57179	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:58.682997942 CEST	53	57179	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:59.071983099 CEST	56124	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:59.133754969 CEST	53	56124	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:59.138362885 CEST	62287	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:32:59.199341059 CEST	53	62287	8.8.4.4	192.168.2.7
Jun 10, 2021 15:32:59.245536089 CEST	54644	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:59.309763908 CEST	53	54644	8.8.8.8	192.168.2.7
Jun 10, 2021 15:32:59.916569948 CEST	59159	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:32:59.969732046 CEST	53	59159	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:03.369879961 CEST	57924	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:03.428838968 CEST	53	57924	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:03.432816029 CEST	51712	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:33:03.491652012 CEST	53	51712	8.8.4.4	192.168.2.7
Jun 10, 2021 15:33:03.528409958 CEST	58865	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:03.587806940 CEST	53	58865	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:07.648883104 CEST	64337	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:07.710572958 CEST	53	64337	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:11.301757097 CEST	50407	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:11.363635063 CEST	53	50407	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:12.904831886 CEST	61075	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:12.966074944 CEST	53	61075	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:18.322038889 CEST	54952	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:18.380691051 CEST	53	54952	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:23.732136011 CEST	59186	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:23.782618046 CEST	53	59186	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:23.784437895 CEST	52280	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:33:24.804606915 CEST	52280	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:33:24.866513014 CEST	53	52280	8.8.4.4	192.168.2.7
Jun 10, 2021 15:33:24.870029926 CEST	51794	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:24.920176983 CEST	53	51794	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:28.934925079 CEST	50815	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:28.994024038 CEST	53	50815	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:28.995167971 CEST	58498	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:33:29.057069063 CEST	53	58498	8.8.4.4	192.168.2.7
Jun 10, 2021 15:33:29.060477018 CEST	56862	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:29.110584974 CEST	53	56862	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:33.122565985 CEST	61807	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:33.181468964 CEST	53	61807	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:33.182643890 CEST	52009	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:33:33.244641066 CEST	53	52009	8.8.4.4	192.168.2.7
Jun 10, 2021 15:33:33.247688055 CEST	58648	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:33.309820890 CEST	53	58648	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:37.327805996 CEST	59337	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:37.386540890 CEST	53	59337	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:42.529644012 CEST	59269	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:42.590915918 CEST	53	59269	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:47.733093977 CEST	49802	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:47.793531895 CEST	53	49802	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:52.950977087 CEST	50706	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:53.010107994 CEST	53	50706	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:53.011431932 CEST	55153	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:33:53.079495907 CEST	53	55153	8.8.4.4	192.168.2.7
Jun 10, 2021 15:33:53.083364010 CEST	59744	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:53.144140005 CEST	53	59744	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:57.159787893 CEST	59987	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:57.218821049 CEST	53	59987	8.8.8.8	192.168.2.7
Jun 10, 2021 15:33:57.220031977 CEST	61272	53	192.168.2.7	8.8.4.4
Jun 10, 2021 15:33:57.282882929 CEST	53	61272	8.8.4.4	192.168.2.7
Jun 10, 2021 15:33:57.286722898 CEST	54352	53	192.168.2.7	8.8.8.8
Jun 10, 2021 15:33:57.339939117 CEST	53	54352	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 15:31:32.181307077 CEST	192.168.2.7	8.8.8.8	0xcbed	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:31:38.392396927 CEST	192.168.2.7	8.8.8.8	0xc120	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:31:44.103826046 CEST	192.168.2.7	8.8.8.8	0x6d75	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:31:50.121778965 CEST	192.168.2.7	8.8.8.8	0xd449	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:31:50.405025959 CEST	192.168.2.7	8.8.4.4	0x13a9	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:31:51.727444887 CEST	192.168.2.7	8.8.8.8	0x6724	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:31:56.567003012 CEST	192.168.2.7	8.8.8.8	0x55d5	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:31:56.670478106 CEST	192.168.2.7	8.8.4.4	0x511	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:31:57.163907051 CEST	192.168.2.7	8.8.8.8	0x2c7f	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:01.350749016 CEST	192.168.2.7	8.8.8.8	0x8a28	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:01.448018074 CEST	192.168.2.7	8.8.4.4	0xe2cd	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:01.741183043 CEST	192.168.2.7	8.8.8.8	0x1878	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:06.151912928 CEST	192.168.2.7	8.8.8.8	0xb2e0	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:11.659318924 CEST	192.168.2.7	8.8.8.8	0x5e2e	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:17.732811928 CEST	192.168.2.7	8.8.8.8	0x96e4	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:23.874396086 CEST	192.168.2.7	8.8.8.8	0xd453	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:24.386266947 CEST	192.168.2.7	8.8.4.4	0xc18e	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:24.450488091 CEST	192.168.2.7	8.8.8.8	0x1ed3	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:29.021514893 CEST	192.168.2.7	8.8.8.8	0xe87c	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:29.627389908 CEST	192.168.2.7	8.8.4.4	0xb61b	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:30.022881985 CEST	192.168.2.7	8.8.8.8	0xfaff	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:34.235707998 CEST	192.168.2.7	8.8.8.8	0x9149	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:34.343688965 CEST	192.168.2.7	8.8.4.4	0x12e6	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:34.449165106 CEST	192.168.2.7	8.8.8.8	0xcd26	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:38.559259892 CEST	192.168.2.7	8.8.8.8	0x1154	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:44.031632900 CEST	192.168.2.7	8.8.8.8	0xd929	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:49.292860985 CEST	192.168.2.7	8.8.8.8	0x2e28	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:54.726989031 CEST	192.168.2.7	8.8.8.8	0x31d2	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:54.834827900 CEST	192.168.2.7	8.8.4.4	0x5b98	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:54.959928989 CEST	192.168.2.7	8.8.8.8	0x826d	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:59.071983099 CEST	192.168.2.7	8.8.8.8	0x249c	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:59.138362885 CEST	192.168.2.7	8.8.4.4	0x19bb	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:59.245536089 CEST	192.168.2.7	8.8.8.8	0x9170	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:03.369879961 CEST	192.168.2.7	8.8.8.8	0x20ef	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:03.432816029 CEST	192.168.2.7	8.8.4.4	0xe0ac	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:03.528409958 CEST	192.168.2.7	8.8.8.8	0xbe2b	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:07.648883104 CEST	192.168.2.7	8.8.8.8	0xd36	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:12.904831886 CEST	192.168.2.7	8.8.8.8	0x308e	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:18.322038889 CEST	192.168.2.7	8.8.8.8	0x6a52	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:23.732136011 CEST	192.168.2.7	8.8.8.8	0x9e46	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:23.784437895 CEST	192.168.2.7	8.8.4.4	0xd2da	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:24.804606915 CEST	192.168.2.7	8.8.4.4	0xd2da	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:24.870029926 CEST	192.168.2.7	8.8.8.8	0x93b6	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:28.934925079 CEST	192.168.2.7	8.8.8.8	0x88c6	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:28.995167971 CEST	192.168.2.7	8.8.4.4	0x32f7	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:29.060477018 CEST	192.168.2.7	8.8.8.8	0x63cf	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:33.122565985 CEST	192.168.2.7	8.8.8.8	0x3f68	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:33.182643890 CEST	192.168.2.7	8.8.4.4	0xcf42	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:33.247688055 CEST	192.168.2.7	8.8.8.8	0xc9fb	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:37.327805996 CEST	192.168.2.7	8.8.8.8	0x8b83	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:42.529644012 CEST	192.168.2.7	8.8.8.8	0xb5ed	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:47.733093977 CEST	192.168.2.7	8.8.8.8	0x4f3f	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:52.950977087 CEST	192.168.2.7	8.8.8.8	0x8b88	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:53.011431932 CEST	192.168.2.7	8.8.4.4	0x2aae	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:53.083364010 CEST	192.168.2.7	8.8.8.8	0x6cee	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:57.159787893 CEST	192.168.2.7	8.8.8.8	0x2987	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:57.220031977 CEST	192.168.2.7	8.8.4.4	0x97ed	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:57.286722898 CEST	192.168.2.7	8.8.8.8	0xab9d	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 10, 2021 15:31:32.241700888 CEST	8.8.8.8	192.168.2.7	0xcbed	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:31:38.456140041 CEST	8.8.8.8	192.168.2.7	0xc120	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:31:44.165118933 CEST	8.8.8.8	192.168.2.7	0x6d75	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:06.210746050 CEST	8.8.8.8	192.168.2.7	0xb2e0	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:11.717715979 CEST	8.8.8.8	192.168.2.7	0x5e2e	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:17.791794062 CEST	8.8.8.8	192.168.2.7	0x96e4	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:38.619369984 CEST	8.8.8.8	192.168.2.7	0x1154	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:44.094465971 CEST	8.8.8.8	192.168.2.7	0xd929	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:32:49.351901054 CEST	8.8.8.8	192.168.2.7	0x2e28	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:07.710572958 CEST	8.8.8.8	192.168.2.7	0xd36	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:12.966074944 CEST	8.8.8.8	192.168.2.7	0x308e	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:18.380691051 CEST	8.8.8.8	192.168.2.7	0x6a52	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:37.386540890 CEST	8.8.8.8	192.168.2.7	0x8b83	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:42.590915918 CEST	8.8.8.8	192.168.2.7	0xb5ed	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:33:47.793531895 CEST	8.8.8.8	192.168.2.7	0x4f3f	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: dYy3yfSkwY.exe PID: 6108 Parent PID: 5724

General

Start time:	15:31:16
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\dYy3yfSkwY.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\dYy3yfSkwY.exe'
Imagebase:	0x400000
File size:	682684 bytes
MD5 hash:	3DEB8B7E51C21CBA0C2C723C5AF953DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: dYy3yfSkwY.exe PID: 668 Parent PID: 6108

General

Start time:	15:31:22
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\dYy3yfSkwY.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\dYy3yfSkwY.exe'
Imagebase:	0x400000
File size:	682684 bytes
MD5 hash:	3DEB8B7E51C21CBA0C2C723C5AF953DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: opjlpsercy.exe PID: 3724 Parent PID: 3292

General

Start time:	15:31:35
Start date:	10/06/2021
Path:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Imagebase:	0x400000
File size:	682684 bytes
MD5 hash:	3DEB8B7E51C21CBA0C2C723C5AF953DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, ReversingLabs
Reputation:	low

Analysis Process: opjlpsercy.exe PID: 4520 Parent PID: 3724

General

Start time:	15:31:42
Start date:	10/06/2021
Path:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Imagebase:	0x400000
File size:	682684 bytes
MD5 hash:	3DEB8B7E51C21CBA0C2C723C5AF953DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.319549745.00000000028EE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: opjlpsercy.exe PID: 5892 Parent PID: 3292

General

Start time:	15:31:43
Start date:	10/06/2021
Path:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Imagebase:	0x400000
File size:	682684 bytes
MD5 hash:	3DEB8B7E51C21CBA0C2C723C5AF953DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report dYy3yfSkwY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre