Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ 10 UNIT.exe

Overview

General Information

Sample Name:RFQ 10 UNIT.exe
Analysis ID:451100
MD5:97904d814bcda66efe2d278ef92da65f
SHA1:6ce40705c8de4e3c8efb1857deb76357ac500df7
SHA256:d4a810dc5c1bf6cfcedaf05d46a9230250ce314cc19082ca044763dcd9ff7135
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ 10 UNIT.exe (PID: 3096 cmdline: 'C:\Users\user\Desktop\RFQ 10 UNIT.exe' MD5: 97904D814BCDA66EFE2D278EF92DA65F)
    • RFQ 10 UNIT.exe (PID: 4572 cmdline: C:\Users\user\Desktop\RFQ 10 UNIT.exe MD5: 97904D814BCDA66EFE2D278EF92DA65F)
    • RFQ 10 UNIT.exe (PID: 1540 cmdline: C:\Users\user\Desktop\RFQ 10 UNIT.exe MD5: 97904D814BCDA66EFE2D278EF92DA65F)
  • dhcpmon.exe (PID: 4076 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 97904D814BCDA66EFE2D278EF92DA65F)
    • dhcpmon.exe (PID: 1396 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 97904D814BCDA66EFE2D278EF92DA65F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c9622013-90b3-4810-9b2a-2fbba172", "Domain1": "185.140.53.253", "Domain2": "dedicatedlambo9.ddns.net", "Port": 1604, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.401016722.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000002.401016722.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000018.00000002.401016722.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000008.00000002.485058731.0000000004419000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xb4357:$a: NanoCore
      • 0xb437c:$a: NanoCore
      • 0xb43d5:$a: NanoCore
      • 0xc4574:$a: NanoCore
      • 0xc459a:$a: NanoCore
      • 0xc45f6:$a: NanoCore
      • 0xd144d:$a: NanoCore
      • 0xd14a6:$a: NanoCore
      • 0xd14d9:$a: NanoCore
      • 0xd1705:$a: NanoCore
      • 0xd1781:$a: NanoCore
      • 0xd1d9a:$a: NanoCore
      • 0xd1ee3:$a: NanoCore
      • 0xd23b7:$a: NanoCore
      • 0xd269e:$a: NanoCore
      • 0xd26b5:$a: NanoCore
      • 0xdb559:$a: NanoCore
      • 0xdb5d5:$a: NanoCore
      • 0xddeb8:$a: NanoCore
      • 0xe3481:$a: NanoCore
      • 0xe34fb:$a: NanoCore
      Click to see the 3 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.RFQ 10 UNIT.exe.476b80e.12.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x3d99:$x1: NanoCore.ClientPluginHost
      • 0xcd3b:$x1: NanoCore.ClientPluginHost
      • 0x3db3:$x2: IClientNetworkHost
      • 0xcd55:$x2: IClientNetworkHost
      8.2.RFQ 10 UNIT.exe.476b80e.12.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x3d99:$x2: NanoCore.ClientPluginHost
      • 0xcd3b:$x2: NanoCore.ClientPluginHost
      • 0x4dce:$s4: PipeCreated
      • 0x3d86:$s5: IClientLoggingHost
      • 0xcd28:$s5: IClientLoggingHost
      8.2.RFQ 10 UNIT.exe.3466204.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x8ba5:$x1: NanoCore.ClientPluginHost
      • 0x15d1f:$x1: NanoCore.ClientPluginHost
      • 0x1fb7f:$x1: NanoCore.ClientPluginHost
      • 0x27ab5:$x1: NanoCore.ClientPluginHost
      • 0x2da98:$x1: NanoCore.ClientPluginHost
      • 0x37513:$x1: NanoCore.ClientPluginHost
      • 0x4194f:$x1: NanoCore.ClientPluginHost
      • 0x4c941:$x1: NanoCore.ClientPluginHost
      • 0x586f7:$x1: NanoCore.ClientPluginHost
      • 0x6444e:$x1: NanoCore.ClientPluginHost
      • 0x8bd2:$x2: IClientNetworkHost
      • 0x15d58:$x2: IClientNetworkHost
      • 0x1fbb8:$x2: IClientNetworkHost
      • 0x27aee:$x2: IClientNetworkHost
      • 0x37670:$x2: IClientNetworkHost
      • 0x41988:$x2: IClientNetworkHost
      • 0x4c95b:$x2: IClientNetworkHost
      • 0x58711:$x2: IClientNetworkHost
      • 0x6448b:$x2: IClientNetworkHost
      8.2.RFQ 10 UNIT.exe.3466204.4.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x8b7f:$a: NanoCore
      • 0x8ba5:$a: NanoCore
      • 0x8c01:$a: NanoCore
      • 0x15a67:$a: NanoCore
      • 0x15ac0:$a: NanoCore
      • 0x15af3:$a: NanoCore
      • 0x15d1f:$a: NanoCore
      • 0x15d9b:$a: NanoCore
      • 0x163b4:$a: NanoCore
      • 0x164fd:$a: NanoCore
      • 0x169d1:$a: NanoCore
      • 0x16cb8:$a: NanoCore
      • 0x16ccf:$a: NanoCore
      • 0x1fb7f:$a: NanoCore
      • 0x1fbfb:$a: NanoCore
      • 0x224de:$a: NanoCore
      • 0x27ab5:$a: NanoCore
      • 0x27b2f:$a: NanoCore
      • 0x2da98:$a: NanoCore
      • 0x2dae2:$a: NanoCore
      • 0x2e73c:$a: NanoCore
      8.2.RFQ 10 UNIT.exe.456f7c1.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x2dbb:$x1: NanoCore.ClientPluginHost
      • 0x2de5:$x2: IClientNetworkHost
      Click to see the 69 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RFQ 10 UNIT.exe, ProcessId: 1540, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RFQ 10 UNIT.exe, ProcessId: 1540, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RFQ 10 UNIT.exe, ProcessId: 1540, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RFQ 10 UNIT.exe, ProcessId: 1540, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000008.00000002.485058731.0000000004419000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c9622013-90b3-4810-9b2a-2fbba172", "Domain1": "185.140.53.253", "Domain2": "dedicatedlambo9.ddns.net", "Port": 1604, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 19%
      Multi AV Scanner detection for submitted fileShow sources
      Source: RFQ 10 UNIT.exeReversingLabs: Detection: 19%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 24.2.dhcpmon.exe.416ff6c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.dhcpmon.exe.416b136.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.dhcpmon.exe.4174595.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.4438a40.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.4438a40.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.dhcpmon.exe.416ff6c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.47f6b08.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.443d069.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.47f6b08.13.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.47f1cd2.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.47fb131.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000018.00000002.401016722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.485058731.0000000004419000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.485779990.00000000047F1000.00000004.00000001.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: RFQ 10 UNIT.exeJoe Sandbox ML: detected
      Source: 8.2.RFQ 10 UNIT.exe.4438a40.6.unpackAvira: Label: TR/NanoCore.fadte
      Source: 8.2.RFQ 10 UNIT.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 24.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: RFQ 10 UNIT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: RFQ 10 UNIT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmp

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: dedicatedlambo9.ddns.net
      Source: Malware configuration extractorURLs: 185.140.53.253
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: dedicatedlambo9.ddns.net
      Source: global trafficTCP traffic: 192.168.2.3:49725 -> 185.140.53.253:1604
      Source: global trafficTCP traffic: 192.168.2.3:49729 -> 84.38.133.182:1604
      Source: Joe Sandbox ViewIP Address: 185.140.53.253 185.140.53.253
      Source: Joe Sandbox ViewASN Name: DATACLUB-NL DATACLUB-NL
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
      Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
      Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
      Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
      Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
      Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
      Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
      Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
      Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
      Source: unknownDNS traffic detected: queries for: dedicatedlambo9.ddns.net
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: RFQ 10 UNIT.exe, 00000000.00000003.215074208.00000000058FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc(
      Source: RFQ 10 UNIT.exe, 00000000.00000003.214967601.00000000058FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comcJ
      Source: RFQ 10 UNIT.exe, 00000000.00000003.214937293.00000000058FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
      Source: RFQ 10 UNIT.exe, 00000000.00000003.216431606.00000000058F1000.00000004.00000001.sdmp, RFQ 10 UNIT.exe, 00000000.00000003.217178822.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: RFQ 10 UNIT.exe, 00000000.00000003.216431606.00000000058F1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnayov
      Source: RFQ 10 UNIT.exe, 00000000.00000003.215153399.00000000058FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comA
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485058731.0000000004419000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 24.2.dhcpmon.exe.416ff6c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.dhcpmon.exe.416b136.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.dhcpmon.exe.4174595.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.4438a40.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.4438a40.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.dhcpmon.exe.416ff6c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.47f6b08.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.443d069.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.47f6b08.13.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.47f1cd2.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RFQ 10 UNIT.exe.47fb131.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000018.00000002.401016722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.485058731.0000000004419000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.485779990.00000000047F1000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 8.2.RFQ 10 UNIT.exe.476b80e.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.3466204.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.3466204.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.456f7c1.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.47629df.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 24.2.dhcpmon.exe.416ff6c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 24.2.dhcpmon.exe.416b136.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 24.2.dhcpmon.exe.416b136.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.3459fbc.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 24.2.dhcpmon.exe.4174595.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.3466204.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.4779c3e.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.4438a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.4438a40.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.456f7c1.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 24.2.dhcpmon.exe.416ff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 24.2.dhcpmon.exe.3189684.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.3459fbc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.3459fbc.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.47f6b08.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.47f6b08.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.457b9f5.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.47629df.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.47629df.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.4779c3e.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.443d069.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.476b80e.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.47f6b08.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.47f1cd2.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.47f1cd2.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.4590022.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.457b9f5.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.47fb131.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.47fb131.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RFQ 10 UNIT.exe.342dfbc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RFQ 10 UNIT.exe.342dfbc.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000018.00000002.401016722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000018.00000002.401016722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.485635523.0000000004706000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.485779990.00000000047F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\RFQ 10 UNIT.exeCode function: 8_2_031EE4718_2_031EE471
      Source: C:\Users\user\Desktop\RFQ 10 UNIT.exeCode function: 8_2_031EE4808_2_031EE480
      Source: C:\Users\user\Desktop\RFQ 10 UNIT.exeCode function: 8_2_031EBBD48_2_031EBBD4
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0309E47124_2_0309E471
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0309E48024_2_0309E480
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0309BBD424_2_0309BBD4
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0565F5F824_2_0565F5F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0565978824_2_05659788
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0565A61024_2_0565A610
      Source: RFQ 10 UNIT.exe, 00000000.00000000.209499426.00000000004A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSignatureHelp.exeB vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exeBinary or memory string: OriginalFilename vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000007.00000000.269384397.0000000000372000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSignatureHelp.exeB vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exeBinary or memory string: OriginalFilename vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485186935.00000000044C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485058731.0000000004419000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485058731.0000000004419000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.476275048.0000000000E72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSignatureHelp.exeB vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.485779990.00000000047F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exe, 00000008.00000002.479103223.000000000162A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exeBinary or memory string: OriginalFilenameSignatureHelp.exeB vs RFQ 10 UNIT.exe
      Source: RFQ 10 UNIT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 8.2.RFQ 10 UNIT.exe.476b80e.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.476b80e.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RFQ 10 UNIT.exe.3466204.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.3466204.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RFQ 10 UNIT.exe.456f7c1.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.456f7c1.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RFQ 10 UNIT.exe.47629df.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.47629df.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 24.2.dhcpmon.exe.416ff6c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 24.2.dhcpmon.exe.416ff6c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 24.2.dhcpmon.exe.416b136.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 24.2.dhcpmon.exe.416b136.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 24.2.dhcpmon.exe.416b136.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RFQ 10 UNIT.exe.3459fbc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.3459fbc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 24.2.dhcpmon.exe.4174595.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 24.2.dhcpmon.exe.4174595.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RFQ 10 UNIT.exe.3466204.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.3466204.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RFQ 10 UNIT.exe.4779c3e.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.4779c3e.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RFQ 10 UNIT.exe.4438a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.4438a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RFQ 10 UNIT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RFQ 10 UNIT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RFQ 10 UNIT.exe.4438a40.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.4438a40.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RFQ 10 UNIT.exe.456f7c1.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 24.2.dhcpmon.exe.416ff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 24.2.dhcpmon.exe.416ff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 24.2.dhcpmon.exe.3189684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 24.2.dhcpmon.exe.3189684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RFQ 10 UNIT.exe.3459fbc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.3459fbc.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RFQ 10 UNIT.exe.47f6b08.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.47f6b08.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RFQ 10 UNIT.exe.457b9f5.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.457b9f5.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RFQ 10 UNIT.exe.47629df.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.47629df.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RFQ 10 UNIT.exe.47629df.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RFQ 10 UNIT.exe.4779c3e.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RFQ 10 UNIT.exe.4779