Loading ...

Play interactive tourEdit tour

Windows Analysis Report #RFQ ORDER7678432213211.exe

Overview

General Information

Sample Name:#RFQ ORDER7678432213211.exe
Analysis ID:451085
MD5:2f286cd817b368e8a747e8f0d8f28825
SHA1:e49beec02d942e12b0dad74d81ab8ed4f02667e2
SHA256:b291d719522053a662cadd70b131668a1d953d4c4dd648e8a5647b689eb6341d
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • #RFQ ORDER7678432213211.exe (PID: 4900 cmdline: 'C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe' MD5: 2F286CD817B368E8A747E8F0D8F28825)
    • powershell.exe (PID: 6052 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2416 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XgPYsUfalKn.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 3348 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XgPYsUfalKn' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD92.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1848 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XgPYsUfalKn.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • #RFQ ORDER7678432213211.exe (PID: 1328 cmdline: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe MD5: 2F286CD817B368E8A747E8F0D8F28825)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "oluwa", "Domain1": "194.5.98.120", "Domain2": "joseedward5001.ddns.net", "Port": 1604, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.493425460.0000000005840000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1f1db:$x1: NanoCore.ClientPluginHost
  • 0x1f1f5:$x2: IClientNetworkHost
00000012.00000002.493425460.0000000005840000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1f1db:$x2: NanoCore.ClientPluginHost
  • 0x22518:$s4: PipeCreated
  • 0x1f1c8:$s5: IClientLoggingHost
00000012.00000002.493258723.00000000057F0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x59eb:$x1: NanoCore.ClientPluginHost
  • 0x5b48:$x2: IClientNetworkHost
00000012.00000002.493258723.00000000057F0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x59eb:$x2: NanoCore.ClientPluginHost
  • 0x6941:$s3: PipeExists
  • 0x5be1:$s4: PipeCreated
  • 0x5a05:$s5: IClientLoggingHost
00000012.00000002.493293452.0000000005800000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x39eb:$x1: NanoCore.ClientPluginHost
  • 0x3a24:$x2: IClientNetworkHost
Click to see the 21 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
18.2.#RFQ ORDER7678432213211.exe.6310000.19.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x41ee:$x1: NanoCore.ClientPluginHost
  • 0x422b:$x2: IClientNetworkHost
18.2.#RFQ ORDER7678432213211.exe.6310000.19.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x41ee:$x2: NanoCore.ClientPluginHost
  • 0x7641:$s4: PipeCreated
  • 0x4218:$s5: IClientLoggingHost
18.2.#RFQ ORDER7678432213211.exe.57f0000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x3deb:$x1: NanoCore.ClientPluginHost
  • 0x3f48:$x2: IClientNetworkHost
18.2.#RFQ ORDER7678432213211.exe.57f0000.8.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x3deb:$x2: NanoCore.ClientPluginHost
  • 0x4d41:$s3: PipeExists
  • 0x3fe1:$s4: PipeCreated
  • 0x3e05:$s5: IClientLoggingHost
18.2.#RFQ ORDER7678432213211.exe.5830000.11.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x350b:$x1: NanoCore.ClientPluginHost
  • 0x3525:$x2: IClientNetworkHost
Click to see the 51 entries

Sigma Overview

AV Detection:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe, ProcessId: 1328, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe, ProcessId: 1328, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

System Summary:

barindex
Sigma detected: Powershell Defender ExclusionShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe' , ParentImage: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe, ParentProcessId: 4900, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe', ProcessId: 6052
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe' , ParentImage: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe, ParentProcessId: 4900, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe', ProcessId: 6052

Stealing of Sensitive Information:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe, ProcessId: 1328, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exe, ProcessId: 1328, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 00000012.00000002.490625846.0000000004081000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "oluwa", "Domain1": "194.5.98.120", "Domain2": "joseedward5001.ddns.net", "Port": 1604, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\XgPYsUfalKn.exeReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted fileShow sources
Source: #RFQ ORDER7678432213211.exeReversingLabs: Detection: 13%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.4088a48.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.5940000.17.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.5944629.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.5940000.17.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.4088a48.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.408d071.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000012.00000002.477033384.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.493731765.0000000005940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.490625846.0000000004081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: #RFQ ORDER7678432213211.exe PID: 1328, type: MEMORY
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\XgPYsUfalKn.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: #RFQ ORDER7678432213211.exeJoe Sandbox ML: detected
Source: 18.2.#RFQ ORDER7678432213211.exe.5940000.17.unpackAvira: Label: TR/NanoCore.fadte
Source: 18.2.#RFQ ORDER7678432213211.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: #RFQ ORDER7678432213211.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: #RFQ ORDER7678432213211.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorlib.pdb source: #RFQ ORDER7678432213211.exe, 00000012.00000002.483167361.000000000124C000.00000004.00000020.sdmp
Source: Binary string: System.pdb source: #RFQ ORDER7678432213211.exe, 00000012.00000002.483005071.0000000001217000.00000004.00000020.sdmp
Source: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]18_2_0658AEB0
Source: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]18_2_0658AEA1

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49726 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 194.5.98.120:1604
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 194.5.98.120:1604
C2 URLs / IPs found in malware configurationShow sources
Source: Malware configuration extractorURLs: 194.5.98.120
Source: Malware configuration extractorURLs: joseedward5001.ddns.net
Source: global trafficTCP traffic: 192.168.2.3:49726 -> 194.5.98.120:1604
Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
Source: powershell.exe, 0000000A.00000003.386127494.00000000076E4000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.424050500.0000000004F71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.224155563.000000000564C000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
Source: powershell.exe, 0000000A.00000003.386127494.00000000076E4000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.224155563.000000000564C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.220096464.000000000564C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.220096464.000000000564C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.224155563.000000000564C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.220096464.000000000564C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaV.
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.224155563.000000000564C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasva
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.219670990.000000000564F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.215745931.0000000000DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.215745931.0000000000DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comd
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.215745931.0000000000DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comp
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.222450009.0000000005677000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.222450009.0000000005677000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/W
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.223772397.000000000564C000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmI;
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218561472.0000000005649000.00000004.00000001.sdmp, #RFQ ORDER7678432213211.exe, 00000000.00000003.218259854.000000000564A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218089594.0000000005642000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//tr
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218359434.000000000564F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2.
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218359434.000000000564F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O.
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218089594.0000000005642000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X.
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218089594.0000000005642000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X7e
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218561472.0000000005649000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y.
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218561472.0000000005649000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-f
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218359434.000000000564F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c.U
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218561472.0000000005649000.00000004.00000001.sdmp, #RFQ ORDER7678432213211.exe, 00000000.00000003.218259854.000000000564A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218446869.0000000005646000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O.
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218561472.0000000005649000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/j.
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218089594.0000000005642000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218089594.0000000005642000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rV.
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218446869.0000000005646000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218359434.000000000564F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u.
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.218561472.0000000005649000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: #RFQ ORDER7678432213211.exe, 00000000.00000003.217505680.0000000005654000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: powershell.exe, 0000000A.00000003.386127494.00000000076E4000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000003.389513372.0000000005A9B000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.395464833.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: #RFQ ORDER7678432213211.exe, 00000012.00000002.490625846.0000000004081000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.4088a48.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.5940000.17.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.5944629.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.5940000.17.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.4088a48.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.#RFQ ORDER7678432213211.exe.408d071.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000012.00000002.477033384.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.493731765.0000000005940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.490625846.0000000004081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: #RFQ ORDER7678432213211.exe PID: 1328, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 18.2.#RFQ ORDER7678432213211.exe.6310000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.57f0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5830000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.4088a48.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.6310000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.57e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5940000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5810000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.584e8a4.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.#RFQ ORDER7678432213211.exe.5944629.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5840000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5800000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5940000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5830000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.57f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5844c9f.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5630000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.4088a48.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5810000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.408d071.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5800000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.5840000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.#RFQ ORDER7678432213211.exe.307f090.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.493425460.0000000005840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.493258723.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.493293452.0000000005800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.494090628.0000000006310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.477033384.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.477033384.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.493236087.00000000057E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.493731765.0000000005940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.493399369.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.492994566.0000000005630000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.493334722.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: #RFQ ORDER7678432213211.exe PID: 1328, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: #RFQ ORDER7678432213211.exe PID: 1328, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: #RFQ ORDER7678432213211.exe
Source: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exeCode function: 18_2_00A531B818_2_00A531B8
Source: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exeCode function: 18_2_00A52ADF18_2_00A52ADF
Source: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exeCode function: 18_2_0145E47118_2_0145E471
Source: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exeCode function: 18_2_0145E48018_2_0145E480
Source: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exeCode function: 18_2_0145BBD418_2_0145BBD4
Source: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exeCode function: 18_2_0658803018_2_06588030
Source: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exeCode function: 18_2_06588C4818_2_06588C48
Source: C:\Users\user\Desktop\#RFQ ORDER7678432213211.exeCode function: 18_2_06588D0618_2_06588D06
Source: #RFQ ORDER7678432213211.exe, 00000000.00000000.212779401.00000000002AC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeTypeNameParserHand.exeB vs #RFQ ORDER7678432213211.exe
Source: #RFQ ORDER7678432213211.exe, 00000012.00000002.485095538.0000000003078000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs #RFQ ORDER7678432213211.exe
Source: #RFQ ORDER7678432213211.exe, 00000012.00000002.479636748.0000000000B5C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeTypeNameParserHand.exeB vs #RFQ ORDER7678432213211.exe
Source: #RFQ ORDER7678432213211.exe, 00000012.00000002.494090628.0000000006310000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs #RFQ ORDER7678432213211.exe
Source: #RFQ ORDER7678432213211.exe, 00000012.00000002.493987708.00000000061E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs #RFQ ORDER7678432213211.exe
Source: #RFQ ORDER7678432213211.exe, 00000012.00000002.490625846.0000000004081000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs #RFQ ORDER7678432213211.exe
Source: #RFQ ORDER7678432213211.exe, 00000012.00000002.495135748.00000000070B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs #RFQ ORDER7678432213211.exe
Source: #RFQ ORDER7678432213211.exeBinary or memory string: OriginalFilenameSafeTypeNameParserHand.exeB vs #RFQ ORDER7678432213211.exe
Source: #RFQ ORDER7678432213211.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 18.2.#RFQ ORDER7678432213211.exe.6310000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.#RFQ ORDER7678432213211.exe.6310000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.#RFQ ORDER7678432213211.exe.57f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.#RFQ ORDER7678432213211.exe.57f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.#RFQ ORDER7678432213211.exe.5830000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.#RFQ ORDER7678432213211.exe.5830000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.#RFQ ORDER7678432213211.exe.4088a48.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.#RFQ ORDER7678432213211.exe.4088a48.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.#RFQ ORDER7678432213211.exe.6310000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.#RFQ ORDER7678432213211.exe.6310000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.#RFQ ORDER7678432213211.exe.57e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.#RFQ ORDER7678432213211.exe.57e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.#RFQ ORDER7678432213211.exe.5940000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.#RFQ ORDER7678432213211.exe.5940000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.#RFQ ORDER7678432213211.exe.5810000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.#RFQ ORDER7678432213211.exe.5810000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.#RFQ ORDER7678432213211.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.#RFQ ORDER7678432213211.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.#RFQ ORDER7678432213211.exe.584e8a4.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.#RFQ ORDER7678432213211.exe.584e8a4.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.#RFQ ORDER7678432213211.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.#RFQ ORDER7678432213211.exe.5944629.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/