Loading ...

Play interactive tourEdit tour

Windows Analysis Report kw7HGENm1D.exe

Overview

General Information

Sample Name:kw7HGENm1D.exe
Analysis ID:451838
MD5:a854bd1a3ff6d359a5e2e76154892444
SHA1:b8de8cb81adbb8cc5456a2100ffd3502548b0c2c
SHA256:8fb35304f24a6348adbd96f2ece69cdc23aa2442cfe28ca910ee31b48fd43632
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • kw7HGENm1D.exe (PID: 1700 cmdline: 'C:\Users\user\Desktop\kw7HGENm1D.exe' MD5: A854BD1A3FF6D359A5E2E76154892444)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "39997603-c9cb-4099-abed-49c0195a", "Group": "Old", "Domain1": "newhost.publicvm.com", "Domain2": "backupnewhost.duckdns.org", "Port": 9911, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
kw7HGENm1D.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xcafd:$x1: NanoCore.ClientPluginHost
  • 0xcb34:$x1: NanoCore.ClientPluginHost
  • 0xdddf:$x1: NanoCore.ClientPluginHost
  • 0xde13:$x1: NanoCore.ClientPluginHost
  • 0xdef6:$x1: NanoCore.ClientPluginHost
  • 0xdf30:$x1: NanoCore.ClientPluginHost
  • 0xdf6e:$x1: NanoCore.ClientPluginHost
  • 0xdfa7:$x1: NanoCore.ClientPluginHost
  • 0xe335:$x1: NanoCore.ClientPluginHost
  • 0xcb17:$x2: IClientNetworkHost
  • 0xcb4e:$x2: IClientNetworkHost
  • 0xe322:$x2: IClientNetworkHost
kw7HGENm1D.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xd349:$x1: NanoCore Client.exe
  • 0xcafd:$x2: NanoCore.ClientPluginHost
  • 0xcb34:$x2: NanoCore.ClientPluginHost
  • 0xdddf:$x2: NanoCore.ClientPluginHost
  • 0xde13:$x2: NanoCore.ClientPluginHost
  • 0xdef6:$x2: NanoCore.ClientPluginHost
  • 0xdf30:$x2: NanoCore.ClientPluginHost
  • 0xdf6e:$x2: NanoCore.ClientPluginHost
  • 0xdfa7:$x2: NanoCore.ClientPluginHost
  • 0xe335:$x2: NanoCore.ClientPluginHost
  • 0xcb9d:$s1: PluginCommand
  • 0xcb85:$s2: FileCommand
  • 0xe187:$s3: PipeExists
  • 0xcaf1:$s4: PipeCreated
  • 0xe30f:$s5: IClientLoggingHost
kw7HGENm1D.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    kw7HGENm1D.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xcafd:$a: NanoCore
    • 0xcb34:$a: NanoCore
    • 0xcf6f:$a: NanoCore
    • 0xd349:$a: NanoCore
    • 0xd785:$a: NanoCore
    • 0xdddf:$a: NanoCore
    • 0xde13:$a: NanoCore
    • 0xdef6:$a: NanoCore
    • 0xdf30:$a: NanoCore
    • 0xdf6e:$a: NanoCore
    • 0xdfa7:$a: NanoCore
    • 0xe22c:$a: NanoCore
    • 0xe335:$a: NanoCore
    • 0xcb06:$b: ClientPlugin
    • 0xcb3d:$b: ClientPlugin
    • 0xd78e:$b: ClientPlugin
    • 0xdde8:$b: ClientPlugin
    • 0xde1c:$b: ClientPlugin
    • 0xdeff:$b: ClientPlugin
    • 0xdf39:$b: ClientPlugin
    • 0xdf77:$b: ClientPlugin

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.514043603.0000000005EE0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1f1db:$x1: NanoCore.ClientPluginHost
    • 0x1f1f5:$x2: IClientNetworkHost
    00000000.00000002.514043603.0000000005EE0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1f1db:$x2: NanoCore.ClientPluginHost
    • 0x22518:$s4: PipeCreated
    • 0x1f1c8:$s5: IClientLoggingHost
    00000000.00000002.514025811.0000000005ED0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    00000000.00000002.514025811.0000000005ED0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    00000000.00000002.511088441.00000000039C0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x5d90a:$a: NanoCore
    • 0x5d933:$a: NanoCore
    • 0x827f6:$a: NanoCore
    • 0x8280e:$a: NanoCore
    • 0x82837:$a: NanoCore
    • 0x92dc1:$a: NanoCore
    • 0x9374c:$a: NanoCore
    • 0x5d913:$b: ClientPlugin
    • 0x5d93c:$b: ClientPlugin
    • 0x82525:$b: ClientPlugin
    • 0x8253e:$b: ClientPlugin
    • 0x8256e:$b: ClientPlugin
    • 0x82817:$b: ClientPlugin
    • 0x82840:$b: ClientPlugin
    • 0x92dca:$b: ClientPlugin
    • 0x93755:$b: ClientPlugin
    • 0x95b0a:$b: ClientPlugin
    • 0x5d844:$c: ProjectData
    • 0x8270d:$c: ProjectData
    • 0x7dbf5:$e: KeepAlive
    • 0x924b7:$g: LogClientMessage
    Click to see the 26 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.kw7HGENm1D.exe.4bf0000.16.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    0.2.kw7HGENm1D.exe.4bf0000.16.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    0.2.kw7HGENm1D.exe.4bf0000.16.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0.2.kw7HGENm1D.exe.4bc0000.14.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      0.2.kw7HGENm1D.exe.4bc0000.14.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      Click to see the 94 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\kw7HGENm1D.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\kw7HGENm1D.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\kw7HGENm1D.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\kw7HGENm1D.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: kw7HGENm1D.exeAvira: detected
      Found malware configurationShow sources
      Source: 00000000.00000002.510127578.0000000003689000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "39997603-c9cb-4099-abed-49c0195a", "Group": "Old", "Domain1": "newhost.publicvm.com", "Domain2": "backupnewhost.duckdns.org", "Port": 9911, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: kw7HGENm1D.exeVirustotal: Detection: 63%Perma Link
      Source: kw7HGENm1D.exeMetadefender: Detection: 57%Perma Link
      Source: kw7HGENm1D.exeReversingLabs: Detection: 88%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: kw7HGENm1D.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.4bf0000.16.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.4bf0000.16.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.4bf4629.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.3696f20.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.3696f20.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.369b549.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.80000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.kw7HGENm1D.exe.80000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.236906939.0000000000082000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.510127578.0000000003689000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.512499976.0000000004BF0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.504244186.0000000000082000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: kw7HGENm1D.exe PID: 1700, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: kw7HGENm1D.exeJoe Sandbox ML: detected
      Source: 0.2.kw7HGENm1D.exe.4bf0000.16.unpackAvira: Label: TR/NanoCore.fadte
      Source: kw7HGENm1D.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: Binary string: C:\Users\Enc\Desktop\AllPassWords\MultiCore-master\MyClientPlugin\obj\Debug\Client.pdb source: kw7HGENm1D.exe, 00000000.00000003.354611004.0000000003ACC000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Enc\Desktop\MultiCore-master\MultiCore-master\MyClientPlugin\obj\Debug\Client.pdb source: kw7HGENm1D.exe, 00000000.00000002.511088441.00000000039C0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Enc\Desktop\MultiCore-master\MultiCore-master\MyClientPlugin\obj\Debug\Client.pdb| source: kw7HGENm1D.exe, 00000000.00000002.511088441.00000000039C0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Enc\Desktop\AllPassWords\MultiCore-master\MyClientPlugin\obj\Debug\Client.pdbD source: kw7HGENm1D.exe, 00000000.00000003.354611004.0000000003ACC000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: kw7HGENm1D.exe, 00000000.00000003.354611004.0000000003ACC000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: kw7HGENm1D.exe, 00000000.00000002.512219662.0000000004B10000.00000002.00000001.sdmp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49725 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49732 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49733 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49734 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49735 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49739 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 3.92.185.198:9911
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49742 -> 3.92.185.198:9911
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: backupnewhost.duckdns.org
      Source: Malware configuration extractorURLs: newhost.publicvm.com
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: backupnewhost.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.5:49700 -> 52.91.94.222:9911
      Source: global trafficTCP traffic: 192.168.2.5:49721 -> 3.92.185.198:9911
      Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_04992A0E WSARecv,0_2_04992A0E
      Source: unknownDNS traffic detected: queries for: newhost.publicvm.com
      Source: kw7HGENm1D.exe, 00000000.00000002.510475412.0000000003765000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: kw7HGENm1D.exe, 00000000.00000002.510475412.0000000003765000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: kw7HGENm1D.exe, 00000000.00000002.510475412.0000000003765000.00000004.00000001.sdmp, kw7HGENm1D.exe, 00000000.00000003.436320393.0000000003AF2000.00000004.00000001.sdmp, kw7HGENm1D.exe, 00000000.00000002.508807205.00000000027AD000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: kw7HGENm1D.exe, 00000000.00000003.436320393.0000000003AF2000.00000004.00000001.sdmp, kw7HGENm1D.exe, 00000000.00000002.508807205.00000000027AD000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: kw7HGENm1D.exe, 00000000.00000002.510475412.0000000003765000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabp
      Source: kw7HGENm1D.exe, 00000000.00000002.510475412.0000000003765000.00000004.00000001.sdmp, kw7HGENm1D.exe, 00000000.00000003.436320393.0000000003AF2000.00000004.00000001.sdmp, kw7HGENm1D.exe, 00000000.00000002.508807205.00000000027AD000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: kw7HGENm1D.exe, 00000000.00000003.436320393.0000000003AF2000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
      Source: kw7HGENm1D.exe, 00000000.00000002.510475412.0000000003765000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/search
      Source: kw7HGENm1D.exe, 00000000.00000002.510475412.0000000003765000.00000004.00000001.sdmp, kw7HGENm1D.exe, 00000000.00000003.436320393.0000000003AF2000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: kw7HGENm1D.exe, 00000000.00000002.510475412.0000000003765000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: kw7HGENm1D.exe, 00000000.00000002.510127578.0000000003689000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: kw7HGENm1D.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.4bf0000.16.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.4bf0000.16.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.4bf4629.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.3696f20.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.3696f20.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.369b549.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.kw7HGENm1D.exe.80000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.kw7HGENm1D.exe.80000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.236906939.0000000000082000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.510127578.0000000003689000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.512499976.0000000004BF0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.504244186.0000000000082000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: kw7HGENm1D.exe PID: 1700, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: kw7HGENm1D.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: kw7HGENm1D.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.kw7HGENm1D.exe.4bf0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.4bc0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5f20000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5f20000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.4bf0000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.4bf4629.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.26ba7a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.3696f20.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.393e9b7.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.3696f20.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5e60000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5e50000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5ee0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.369b549.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5eee8a4.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5e60000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.3.kw7HGENm1D.exe.3af1829.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5e50000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.3.kw7HGENm1D.exe.3af1829.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.kw7HGENm1D.exe.26b2d6c.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5e90000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5e40000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.3a31f00.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.3a31f00.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.kw7HGENm1D.exe.3a282fb.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.3a282fb.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.kw7HGENm1D.exe.5ed0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.26ba7a0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5ec0000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5ed0000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.80000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.80000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.3.kw7HGENm1D.exe.3add1fe.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.3.kw7HGENm1D.exe.3add1fe.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.kw7HGENm1D.exe.5ec0000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.39485bc.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5ee4c9f.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.3.kw7HGENm1D.exe.3ad0fcc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.3.kw7HGENm1D.exe.3ad0fcc.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.kw7HGENm1D.exe.26b2d6c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.3939d18.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.5e40000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.0.kw7HGENm1D.exe.80000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.0.kw7HGENm1D.exe.80000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.kw7HGENm1D.exe.3a2365c.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.3a2365c.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.kw7HGENm1D.exe.5ee0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.3a2365c.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.kw7HGENm1D.exe.2641394.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.kw7HGENm1D.exe.3939d18.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.514043603.0000000005EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.514025811.0000000005ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.511088441.00000000039C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.514088521.0000000005F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000000.236906939.0000000000082000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.512440128.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000003.354611004.0000000003ACC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.513862961.0000000005E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.512499976.0000000004BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.513888087.0000000005E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.504244186.0000000000082000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.513910421.0000000005E60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.508012570.0000000002631000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.513957780.0000000005E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.514007279.0000000005EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: kw7HGENm1D.exe PID: 1700, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_0499116A NtQuerySystemInformation,0_2_0499116A
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_0499112F NtQuerySystemInformation,0_2_0499112F
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_008A78D60_2_008A78D6
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_0486F5000_2_0486F500
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_048662680_2_04866268
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_04868B280_2_04868B28
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_04866E680_2_04866E68
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_04866F2F0_2_04866F2F
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E81BA80_2_05E81BA8
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E827A80_2_05E827A8
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E875900_2_05E87590
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E802C00_2_05E802C0
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E8A2800_2_05E8A280
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E85C680_2_05E85C68
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E862500_2_05E86250
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E844300_2_05E84430
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E803870_2_05E80387
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E823480_2_05E82348
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E85D2F0_2_05E85D2F
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E823380_2_05E82338
      Source: C:\Users\user\Desktop\kw7HGENm1D.exeCode function: 0_2_05E89EF80_2_05E89EF8
      Source: kw7HGENm1D.exe, 00000000.00000002.511060217.00000000039B4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.512014259.0000000004970000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.513025967.0000000005470000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.514043603.0000000005EE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.514043603.0000000005EE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.514043603.0000000005EE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.511088441.00000000039C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.511088441.00000000039C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClient.dll" vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000003.354611004.0000000003ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000003.354611004.0000000003ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000003.354611004.0000000003ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.513527351.0000000005AD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.512440128.0000000004BC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.510127578.0000000003689000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exe, 00000000.00000002.512219662.0000000004B10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs kw7HGENm1D.exe
      Source: kw7HGENm1D.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: kw7HGENm1D.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: kw7HGENm1D.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: kw7HGENm1D.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.kw7HGENm1D.exe.4bf0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.kw7HGENm1D.exe.4bf0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.kw7HGENm1D.exe.4bc0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.kw7HGENm1D.exe.4bc0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.kw7HGENm1D.exe.5f20000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.kw7HGENm1D.exe.5f20000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.kw7HGENm1D.exe.5f20000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.kw7HGENm1D.exe.5f20000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d96