Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report yMI7.exe

Overview

General Information

Sample Name:yMI7.exe
Analysis ID:452025
MD5:39121091956f8934b1c73041ee1cc90f
SHA1:2d63ef96343bd4636ced243f81ce9cc361b28f74
SHA256:9a2247160056d9a5de43a34672b7e1650402a8ec6f435f1ef0d07a5347907404
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • yMI7.exe (PID: 784 cmdline: 'C:\Users\user\Desktop\yMI7.exe' MD5: 39121091956F8934B1C73041EE1CC90F)
  • dhcpmon.exe (PID: 4188 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 39121091956F8934B1C73041EE1CC90F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1d151c9c-8c5a-49a2-b97c-b83e2e70", "Group": "Default", "Domain1": "marquinhos-36228.portmap.host", "Domain2": "127.0.0.1", "Port": 36228, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
yMI7.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
yMI7.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
yMI7.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    yMI7.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xff8d:$x1: NanoCore.ClientPluginHost
        • 0xffca:$x2: IClientNetworkHost
        • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.dhcpmon.exe.2e68e2c.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x2dbb:$x1: NanoCore.ClientPluginHost
          • 0x2de5:$x2: IClientNetworkHost
          5.2.dhcpmon.exe.2e68e2c.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0x2dbb:$x2: NanoCore.ClientPluginHost
          • 0x4c6b:$s4: PipeCreated
          5.2.dhcpmon.exe.3f5a5aa.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x2dbb:$x1: NanoCore.ClientPluginHost
          • 0x2de5:$x2: IClientNetworkHost
          5.2.dhcpmon.exe.3f5a5aa.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0x2dbb:$x2: NanoCore.ClientPluginHost
          • 0x4c6b:$s4: PipeCreated
          5.2.dhcpmon.exe.3f667dc.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x6da5:$x1: NanoCore.ClientPluginHost
          • 0x6dd2:$x2: IClientNetworkHost
          Click to see the 29 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\yMI7.exe, ProcessId: 784, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\yMI7.exe, ProcessId: 784, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\yMI7.exe, ProcessId: 784, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\yMI7.exe, ProcessId: 784, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: yMI7.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
          Found malware configurationShow sources
          Source: 00000005.00000002.252465646.0000000002E41000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1d151c9c-8c5a-49a2-b97c-b83e2e70", "Group": "Default", "Domain1": "marquinhos-36228.portmap.host", "Domain2": "127.0.0.1", "Port": 36228, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 80%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: yMI7.exeVirustotal: Detection: 80%Perma Link
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: yMI7.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.yMI7.exe.ba0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f667dc.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f5a5aa.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f5577e.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252582895.0000000003E41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252465646.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: yMI7.exe PID: 784, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4188, type: MEMORY
          Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: yMI7.exeJoe Sandbox ML: detected
          Source: 0.0.yMI7.exe.ba0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 5.2.dhcpmon.exe.720000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 5.0.dhcpmon.exe.720000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: yMI7.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: C:\Users\user\Desktop\yMI7.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: marquinhos-36228.portmap.host
          Source: Malware configuration extractorURLs: 127.0.0.1
          Source: unknownDNS traffic detected: query: marquinhos-36228.portmap.host replaycode: Name error (3)
          Source: unknownDNS traffic detected: queries for: marquinhos-36228.portmap.host
          Source: dhcpmon.exe, 00000005.00000002.252582895.0000000003E41000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: yMI7.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.yMI7.exe.ba0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f667dc.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f5a5aa.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f5577e.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252582895.0000000003E41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252465646.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: yMI7.exe PID: 784, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4188, type: MEMORY
          Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: yMI7.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: yMI7.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 5.2.dhcpmon.exe.2e68e2c.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.2.dhcpmon.exe.3f5a5aa.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.2.dhcpmon.exe.3f667dc.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.2.dhcpmon.exe.2e75100.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.2.dhcpmon.exe.2e68e2c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.0.yMI7.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.0.yMI7.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 5.2.dhcpmon.exe.2e75100.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.2.dhcpmon.exe.2e63dc4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.2.dhcpmon.exe.2e63dc4.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 5.2.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.2.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 5.0.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.0.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 5.2.dhcpmon.exe.3f667dc.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.2.dhcpmon.exe.3f5a5aa.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.2.dhcpmon.exe.3f5577e.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 5.2.dhcpmon.exe.3f5577e.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000005.00000002.252582895.0000000003E41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000005.00000002.252465646.0000000002E41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: yMI7.exe PID: 784, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: yMI7.exe PID: 784, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 4188, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 4188, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_0072524A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02A623A0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02A62FA8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02A63850
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02A6306F
          Source: yMI7.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: yMI7.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: yMI7.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: yMI7.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 5.2.dhcpmon.exe.2e68e2c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.2e68e2c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 5.2.dhcpmon.exe.3f5a5aa.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.3f5a5aa.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 5.2.dhcpmon.exe.3f667dc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.3f667dc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 5.2.dhcpmon.exe.2e75100.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.2e75100.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 5.2.dhcpmon.exe.2e68e2c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.2e68e2c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.0.yMI7.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.0.yMI7.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.0.yMI7.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 5.2.dhcpmon.exe.2e75100.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.2e75100.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 5.2.dhcpmon.exe.2e63dc4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.2e63dc4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 5.2.dhcpmon.exe.2e63dc4.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 5.2.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 5.2.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 5.0.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.0.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 5.0.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 5.2.dhcpmon.exe.3f667dc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.3f5a5aa.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.3f5577e.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 5.2.dhcpmon.exe.3f5577e.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000005.00000002.252582895.0000000003E41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000005.00000002.252465646.0000000002E41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: yMI7.exe PID: 784, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: yMI7.exe PID: 784, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 4188, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 4188, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: yMI7.exeStatic PE information: Section: .rsrc ZLIB complexity 0.999126519097
          Source: dhcpmon.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.999126519097
          Source: yMI7.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: yMI7.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: yMI7.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.yMI7.exe.ba0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.yMI7.exe.ba0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.0.yMI7.exe.ba0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.yMI7.exe.ba0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 0.0.yMI7.exe.ba0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 5.0.dhcpmon.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 5.0.dhcpmon.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 5.2.dhcpmon.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 5.2.dhcpmon.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: yMI7.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: yMI7.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: classification engineClassification label: mal100.troj.evad.winEXE@2/4@45/2
          Source: C:\Users\user\Desktop\yMI7.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\yMI7.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
          Source: C:\Users\user\Desktop\yMI7.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1d151c9c-8c5a-49a2-b97c-b83e2e70c3df}
          Source: C:\Users\user\Desktop\yMI7.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: yMI7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\yMI7.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\yMI7.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\yMI7.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\yMI7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\yMI7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\yMI7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: yMI7.exeVirustotal: Detection: 80%
          Source: C:\Users\user\Desktop\yMI7.exeFile read: C:\Users\user\Desktop\yMI7.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\yMI7.exe 'C:\Users\user\Desktop\yMI7.exe'
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: C:\Users\user\Desktop\yMI7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
          Source: C:\Users\user\Desktop\yMI7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
          Source: yMI7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\yMI7.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: yMI7.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: yMI7.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: dhcpmon.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.yMI7.exe.ba0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.yMI7.exe.ba0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.dhcpmon.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.dhcpmon.exe.720000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.dhcpmon.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.dhcpmon.exe.720000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: yMI7.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: yMI7.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: dhcpmon.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: dhcpmon.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 0.0.yMI7.exe.ba0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 0.0.yMI7.exe.ba0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 5.2.dhcpmon.exe.720000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 5.2.dhcpmon.exe.720000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 5.0.dhcpmon.exe.720000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 5.0.dhcpmon.exe.720000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\yMI7.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\yMI7.exeFile opened: C:\Users\user\Desktop\yMI7.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\yMI7.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\yMI7.exeWindow / User API: threadDelayed 379
          Source: C:\Users\user\Desktop\yMI7.exeWindow / User API: foregroundWindowGot 549
          Source: C:\Users\user\Desktop\yMI7.exeWindow / User API: foregroundWindowGot 637
          Source: C:\Users\user\Desktop\yMI7.exe TID: 5460Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\yMI7.exe TID: 5464Thread sleep time: -220000s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5076Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\yMI7.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\yMI7.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\yMI7.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\yMI7.exeMemory allocated: page read and write | page guard
          Source: yMI7.exe, 00000000.00000003.328170646.00000000060E4000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: C:\Users\user\Desktop\yMI7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: yMI7.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.yMI7.exe.ba0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f667dc.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f5a5aa.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f5577e.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252582895.0000000003E41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252465646.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: yMI7.exe PID: 784, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4188, type: MEMORY
          Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: yMI7.exe, 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000005.00000002.252582895.0000000003E41000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: yMI7.exeString found in binary or memory: NanoCore.ClientPluginHost
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: yMI7.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.yMI7.exe.ba0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.dhcpmon.exe.720000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f667dc.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f5a5aa.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.dhcpmon.exe.3f5577e.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252582895.0000000003E41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252465646.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: yMI7.exe PID: 784, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4188, type: MEMORY
          Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection2Masquerading2Input Capture11Security Software Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          yMI7.exe80%VirustotalBrowse
          yMI7.exe100%AviraTR/Dropper.MSIL.Gen7
          yMI7.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe80%VirustotalBrowse

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.0.yMI7.exe.ba0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          5.2.dhcpmon.exe.720000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          5.0.dhcpmon.exe.720000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          marquinhos-36228.portmap.host0%Avira URL Cloudsafe
          127.0.0.10%VirustotalBrowse
          127.0.0.10%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          marquinhos-36228.portmap.host
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            marquinhos-36228.portmap.hosttrue
            • Avira URL Cloud: safe
            		unknown
            127.0.0.1true
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious

            Private

            IP
            192.168.2.1
            127.0.0.1

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:452025
            Start date:21.07.2021
            Start time:18:08:08
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 4s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:yMI7.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:25
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@2/4@45/2
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 23.54.113.53, 52.255.188.83, 13.64.90.137, 104.43.139.144, 20.50.102.62, 23.54.113.104, 40.112.88.60, 23.0.174.185, 23.0.174.200, 23.10.249.26, 23.10.249.43, 20.82.209.183
            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            18:08:56API Interceptor1059x Sleep call for process: yMI7.exe modified
            18:09:01AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Process:C:\Users\user\Desktop\yMI7.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):486400
            Entropy (8bit):7.858767992660797
            Encrypted:false
            SSDEEP:12288:MLV6BtpmkSYu1kSk63qiwi1kdENzqCm1zTZsiqx60HidcAEx43y:+ApfSYu+r6YSkdE5mFTZ+Hq243y
            MD5:39121091956F8934B1C73041EE1CC90F
            SHA1:2D63EF96343BD4636CED243F81CE9CC361B28F74
            SHA-256:9A2247160056D9A5DE43A34672B7E1650402A8EC6F435F1EF0D07A5347907404
            SHA-512:83671F6DFFBB90B6DDBE7504E9805AA5A66E8FD8025B3B8C330A37CF342F845F880B0A9A6ED95BE70F1A5FE0994FD3B6A4E8C4BDBE59ADD0183DBAD95A7CE8FC
            Malicious:true
            Yara Hits:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Virustotal, Detection: 80%, Browse
            Reputation:low
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T................................. ........@.. ......................................................................8...W.... ............................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc........ ......................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
            Process:C:\Users\user\Desktop\yMI7.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:high, very likely benign file
            Preview: [ZoneTransfer]....ZoneId=0
            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):525
            Entropy (8bit):5.2874233355119316
            Encrypted:false
            SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
            MD5:61CCF53571C9ABA6511D696CB0D32E45
            SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
            SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
            SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
            Malicious:true
            Reputation:high, very likely benign file
            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Process:C:\Users\user\Desktop\yMI7.exe
            File Type:data
            Category:dropped
            Size (bytes):8
            Entropy (8bit):2.75
            Encrypted:false
            SSDEEP:3:HiIp8t:LSt
            MD5:D968E8CAF6CE7C3F89D60D184D89ECCB
            SHA1:9EE5ADC2852A7FBF89475B4DA612C1F601B4FB99
            SHA-256:406646F65342BC1D184FB76057FDFC62ED701E62E2696709F5C249B720BED595
            SHA-512:88D7E0046B9D109DB70858AEC41F0971F9F0A80207539B6B51C4892971DC381F3F3E933A075D01F87B8C8F5B9736F6BE9749BF2BD27F58DD011BCCC9E4FC513B
            Malicious:true
            Reputation:low
            Preview: ...G.L.H

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.858767992660797
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:yMI7.exe
            File size:486400
            MD5:39121091956f8934b1c73041ee1cc90f
            SHA1:2d63ef96343bd4636ced243f81ce9cc361b28f74
            SHA256:9a2247160056d9a5de43a34672b7e1650402a8ec6f435f1ef0d07a5347907404
            SHA512:83671f6dffbb90b6ddbe7504e9805aa5a66e8fd8025b3b8c330a37cf342f845f880b0a9a6ed95be70f1a5fe0994fd3b6a4e8c4bdbe59add0183dbad95a7ce8fc
            SSDEEP:12288:MLV6BtpmkSYu1kSk63qiwi1kdENzqCm1zTZsiqx60HidcAEx43y:+ApfSYu+r6YSkdE5mFTZ+Hq243y
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T................................. ........@.. .....................................................................

            File Icon

            Icon Hash:00828e8e8686b000

            Static PE Info

            General

            Entrypoint:0x41e792
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            DLL Characteristics:
            Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v2.0.50727
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x59e18.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x1c7980x1c800False0.594503837719data6.59807609597IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .reloc0x200000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .rsrc0x220000x59e180x5a000False0.999126519097data7.99949505545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_RCDATA0x220580x59dc0TIM image, Pixel at (24880,47463) Size=10872x29692

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 21, 2021 18:08:49.408694029 CEST5062053192.168.2.38.8.8.8
            Jul 21, 2021 18:08:49.420985937 CEST53506208.8.8.8192.168.2.3
            Jul 21, 2021 18:08:50.391608953 CEST6493853192.168.2.38.8.8.8
            Jul 21, 2021 18:08:50.405205011 CEST53649388.8.8.8192.168.2.3
            Jul 21, 2021 18:08:51.168989897 CEST6015253192.168.2.38.8.8.8
            Jul 21, 2021 18:08:51.181888103 CEST53601528.8.8.8192.168.2.3
            Jul 21, 2021 18:08:51.276034117 CEST5754453192.168.2.38.8.8.8
            Jul 21, 2021 18:08:51.294008970 CEST53575448.8.8.8192.168.2.3
            Jul 21, 2021 18:08:54.078818083 CEST5598453192.168.2.38.8.8.8
            Jul 21, 2021 18:08:54.091849089 CEST53559848.8.8.8192.168.2.3
            Jul 21, 2021 18:08:55.552917004 CEST6418553192.168.2.38.8.8.8
            Jul 21, 2021 18:08:55.566559076 CEST53641858.8.8.8192.168.2.3
            Jul 21, 2021 18:08:56.566930056 CEST6511053192.168.2.38.8.8.8
            Jul 21, 2021 18:08:56.580017090 CEST53651108.8.8.8192.168.2.3
            Jul 21, 2021 18:08:57.596287966 CEST5836153192.168.2.38.8.8.8
            Jul 21, 2021 18:08:57.610011101 CEST53583618.8.8.8192.168.2.3
            Jul 21, 2021 18:08:58.682250023 CEST6349253192.168.2.38.8.8.8
            Jul 21, 2021 18:08:58.695177078 CEST53634928.8.8.8192.168.2.3
            Jul 21, 2021 18:08:59.154131889 CEST6083153192.168.2.38.8.8.8
            Jul 21, 2021 18:08:59.189044952 CEST53608318.8.8.8192.168.2.3
            Jul 21, 2021 18:08:59.234327078 CEST6010053192.168.2.38.8.4.4
            Jul 21, 2021 18:08:59.248064995 CEST53601008.8.4.4192.168.2.3
            Jul 21, 2021 18:08:59.265060902 CEST5319553192.168.2.38.8.8.8
            Jul 21, 2021 18:08:59.278369904 CEST53531958.8.8.8192.168.2.3
            Jul 21, 2021 18:08:59.733872890 CEST5014153192.168.2.38.8.8.8
            Jul 21, 2021 18:08:59.746829033 CEST53501418.8.8.8192.168.2.3
            Jul 21, 2021 18:09:00.741177082 CEST5302353192.168.2.38.8.8.8
            Jul 21, 2021 18:09:00.754364967 CEST53530238.8.8.8192.168.2.3
            Jul 21, 2021 18:09:01.548338890 CEST4956353192.168.2.38.8.8.8
            Jul 21, 2021 18:09:01.561408997 CEST53495638.8.8.8192.168.2.3
            Jul 21, 2021 18:09:02.602241993 CEST5135253192.168.2.38.8.8.8
            Jul 21, 2021 18:09:02.616133928 CEST53513528.8.8.8192.168.2.3
            Jul 21, 2021 18:09:03.390698910 CEST5934953192.168.2.38.8.8.8
            Jul 21, 2021 18:09:03.404673100 CEST53593498.8.8.8192.168.2.3
            Jul 21, 2021 18:09:03.433067083 CEST5708453192.168.2.38.8.4.4
            Jul 21, 2021 18:09:03.446898937 CEST53570848.8.4.4192.168.2.3
            Jul 21, 2021 18:09:03.454628944 CEST5882353192.168.2.38.8.8.8
            Jul 21, 2021 18:09:03.468732119 CEST53588238.8.8.8192.168.2.3
            Jul 21, 2021 18:09:03.602423906 CEST5756853192.168.2.38.8.8.8
            Jul 21, 2021 18:09:03.616652966 CEST53575688.8.8.8192.168.2.3
            Jul 21, 2021 18:09:04.627053022 CEST5054053192.168.2.38.8.8.8
            Jul 21, 2021 18:09:04.640058994 CEST53505408.8.8.8192.168.2.3
            Jul 21, 2021 18:09:05.747694016 CEST5436653192.168.2.38.8.8.8
            Jul 21, 2021 18:09:05.760886908 CEST53543668.8.8.8192.168.2.3
            Jul 21, 2021 18:09:06.598638058 CEST5303453192.168.2.38.8.8.8
            Jul 21, 2021 18:09:06.612566948 CEST53530348.8.8.8192.168.2.3
            Jul 21, 2021 18:09:07.420758963 CEST5776253192.168.2.38.8.8.8
            Jul 21, 2021 18:09:07.434305906 CEST53577628.8.8.8192.168.2.3
            Jul 21, 2021 18:09:07.606671095 CEST5543553192.168.2.38.8.8.8
            Jul 21, 2021 18:09:07.620855093 CEST53554358.8.8.8192.168.2.3
            Jul 21, 2021 18:09:07.711667061 CEST5071353192.168.2.38.8.4.4
            Jul 21, 2021 18:09:07.724493980 CEST53507138.8.4.4192.168.2.3
            Jul 21, 2021 18:09:07.798871040 CEST5613253192.168.2.38.8.8.8
            Jul 21, 2021 18:09:07.812117100 CEST53561328.8.8.8192.168.2.3
            Jul 21, 2021 18:09:24.302570105 CEST5898753192.168.2.38.8.8.8
            Jul 21, 2021 18:09:24.329488993 CEST53589878.8.8.8192.168.2.3
            Jul 21, 2021 18:09:25.309164047 CEST5657953192.168.2.38.8.8.8
            Jul 21, 2021 18:09:25.327780962 CEST53565798.8.8.8192.168.2.3
            Jul 21, 2021 18:09:27.610974073 CEST6063353192.168.2.38.8.8.8
            Jul 21, 2021 18:09:27.625359058 CEST53606338.8.8.8192.168.2.3
            Jul 21, 2021 18:09:27.628843069 CEST6129253192.168.2.38.8.4.4
            Jul 21, 2021 18:09:27.642312050 CEST53612928.8.4.4192.168.2.3
            Jul 21, 2021 18:09:27.827480078 CEST6361953192.168.2.38.8.8.8
            Jul 21, 2021 18:09:27.840261936 CEST53636198.8.8.8192.168.2.3
            Jul 21, 2021 18:09:31.936835051 CEST6493853192.168.2.38.8.8.8
            Jul 21, 2021 18:09:31.950519085 CEST53649388.8.8.8192.168.2.3
            Jul 21, 2021 18:09:31.953711987 CEST6194653192.168.2.38.8.4.4
            Jul 21, 2021 18:09:31.967222929 CEST53619468.8.4.4192.168.2.3
            Jul 21, 2021 18:09:31.975235939 CEST6491053192.168.2.38.8.8.8
            Jul 21, 2021 18:09:31.988960028 CEST53649108.8.8.8192.168.2.3
            Jul 21, 2021 18:09:36.034465075 CEST5212353192.168.2.38.8.8.8
            Jul 21, 2021 18:09:36.047396898 CEST53521238.8.8.8192.168.2.3
            Jul 21, 2021 18:09:36.050039053 CEST5613053192.168.2.38.8.4.4
            Jul 21, 2021 18:09:36.063028097 CEST53561308.8.4.4192.168.2.3
            Jul 21, 2021 18:09:36.069166899 CEST5633853192.168.2.38.8.8.8
            Jul 21, 2021 18:09:36.082801104 CEST53563388.8.8.8192.168.2.3
            Jul 21, 2021 18:09:42.004146099 CEST5942053192.168.2.38.8.8.8
            Jul 21, 2021 18:09:42.031419039 CEST53594208.8.8.8192.168.2.3
            Jul 21, 2021 18:09:44.504885912 CEST5878453192.168.2.38.8.8.8
            Jul 21, 2021 18:09:44.523040056 CEST53587848.8.8.8192.168.2.3
            Jul 21, 2021 18:09:55.256452084 CEST6397853192.168.2.38.8.8.8
            Jul 21, 2021 18:09:55.269335985 CEST53639788.8.8.8192.168.2.3
            Jul 21, 2021 18:09:55.300771952 CEST6293853192.168.2.38.8.4.4
            Jul 21, 2021 18:09:55.314256907 CEST53629388.8.4.4192.168.2.3
            Jul 21, 2021 18:09:55.320933104 CEST5570853192.168.2.38.8.8.8
            Jul 21, 2021 18:09:55.334157944 CEST53557088.8.8.8192.168.2.3
            Jul 21, 2021 18:09:58.610618114 CEST5680353192.168.2.38.8.8.8
            Jul 21, 2021 18:09:58.624608994 CEST53568038.8.8.8192.168.2.3
            Jul 21, 2021 18:09:59.371862888 CEST5714553192.168.2.38.8.8.8
            Jul 21, 2021 18:09:59.384891987 CEST53571458.8.8.8192.168.2.3
            Jul 21, 2021 18:09:59.523283958 CEST5535953192.168.2.38.8.4.4
            Jul 21, 2021 18:09:59.538171053 CEST53553598.8.4.4192.168.2.3
            Jul 21, 2021 18:09:59.544392109 CEST5830653192.168.2.38.8.8.8
            Jul 21, 2021 18:09:59.559184074 CEST53583068.8.8.8192.168.2.3
            Jul 21, 2021 18:10:02.013952971 CEST6412453192.168.2.38.8.8.8
            Jul 21, 2021 18:10:02.032975912 CEST53641248.8.8.8192.168.2.3
            Jul 21, 2021 18:10:03.617001057 CEST4936153192.168.2.38.8.8.8
            Jul 21, 2021 18:10:03.630134106 CEST53493618.8.8.8192.168.2.3
            Jul 21, 2021 18:10:03.718733072 CEST6315053192.168.2.38.8.4.4
            Jul 21, 2021 18:10:03.733841896 CEST53631508.8.4.4192.168.2.3
            Jul 21, 2021 18:10:03.884324074 CEST5327953192.168.2.38.8.8.8
            Jul 21, 2021 18:10:03.898324013 CEST53532798.8.8.8192.168.2.3
            Jul 21, 2021 18:10:23.072074890 CEST5688153192.168.2.38.8.8.8
            Jul 21, 2021 18:10:23.085443020 CEST53568818.8.8.8192.168.2.3
            Jul 21, 2021 18:10:23.088762999 CEST5364253192.168.2.38.8.4.4
            Jul 21, 2021 18:10:23.102976084 CEST53536428.8.4.4192.168.2.3
            Jul 21, 2021 18:10:23.119174957 CEST5566753192.168.2.38.8.8.8
            Jul 21, 2021 18:10:23.133109093 CEST53556678.8.8.8192.168.2.3
            Jul 21, 2021 18:10:27.210969925 CEST5483353192.168.2.38.8.8.8
            Jul 21, 2021 18:10:27.224175930 CEST53548338.8.8.8192.168.2.3
            Jul 21, 2021 18:10:27.227534056 CEST6247653192.168.2.38.8.4.4
            Jul 21, 2021 18:10:27.239530087 CEST53624768.8.4.4192.168.2.3
            Jul 21, 2021 18:10:27.246526957 CEST4970553192.168.2.38.8.8.8
            Jul 21, 2021 18:10:27.259665012 CEST53497058.8.8.8192.168.2.3
            Jul 21, 2021 18:10:31.314162016 CEST6147753192.168.2.38.8.8.8
            Jul 21, 2021 18:10:31.327352047 CEST53614778.8.8.8192.168.2.3
            Jul 21, 2021 18:10:31.333368063 CEST6163353192.168.2.38.8.4.4
            Jul 21, 2021 18:10:31.346574068 CEST53616338.8.4.4192.168.2.3
            Jul 21, 2021 18:10:31.361603975 CEST5594953192.168.2.38.8.8.8
            Jul 21, 2021 18:10:31.374669075 CEST53559498.8.8.8192.168.2.3
            Jul 21, 2021 18:10:33.304223061 CEST5760153192.168.2.38.8.8.8
            Jul 21, 2021 18:10:33.331764936 CEST53576018.8.8.8192.168.2.3
            Jul 21, 2021 18:10:34.556324959 CEST4934253192.168.2.38.8.8.8
            Jul 21, 2021 18:10:34.583259106 CEST53493428.8.8.8192.168.2.3
            Jul 21, 2021 18:10:50.875526905 CEST5625353192.168.2.38.8.8.8
            Jul 21, 2021 18:10:50.889142036 CEST53562538.8.8.8192.168.2.3
            Jul 21, 2021 18:10:50.915549994 CEST4966753192.168.2.38.8.4.4
            Jul 21, 2021 18:10:50.928364038 CEST53496678.8.4.4192.168.2.3
            Jul 21, 2021 18:10:50.934480906 CEST5543953192.168.2.38.8.8.8
            Jul 21, 2021 18:10:50.948419094 CEST53554398.8.8.8192.168.2.3
            Jul 21, 2021 18:10:54.999332905 CEST5706953192.168.2.38.8.8.8
            Jul 21, 2021 18:10:55.013149977 CEST53570698.8.8.8192.168.2.3
            Jul 21, 2021 18:10:55.019088030 CEST5765953192.168.2.38.8.4.4
            Jul 21, 2021 18:10:55.031843901 CEST53576598.8.4.4192.168.2.3
            Jul 21, 2021 18:10:55.068900108 CEST5471753192.168.2.38.8.8.8
            Jul 21, 2021 18:10:55.083175898 CEST53547178.8.8.8192.168.2.3
            Jul 21, 2021 18:10:59.121402979 CEST6397553192.168.2.38.8.8.8
            Jul 21, 2021 18:10:59.134984970 CEST53639758.8.8.8192.168.2.3
            Jul 21, 2021 18:10:59.137598991 CEST5663953192.168.2.38.8.4.4
            Jul 21, 2021 18:10:59.150541067 CEST53566398.8.4.4192.168.2.3
            Jul 21, 2021 18:10:59.164417982 CEST5185653192.168.2.38.8.8.8
            Jul 21, 2021 18:10:59.177824974 CEST53518568.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Jul 21, 2021 18:08:59.154131889 CEST192.168.2.38.8.8.80x7d2Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:08:59.234327078 CEST192.168.2.38.8.4.40x9d21Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:08:59.265060902 CEST192.168.2.38.8.8.80x65dStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:03.390698910 CEST192.168.2.38.8.8.80xff3eStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:03.433067083 CEST192.168.2.38.8.4.40x776Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:03.454628944 CEST192.168.2.38.8.8.80xbfccStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:07.606671095 CEST192.168.2.38.8.8.80xe9c2Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:07.711667061 CEST192.168.2.38.8.4.40x1659Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:07.798871040 CEST192.168.2.38.8.8.80x2a7Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:27.610974073 CEST192.168.2.38.8.8.80x4ee9Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:27.628843069 CEST192.168.2.38.8.4.40x1d6eStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:27.827480078 CEST192.168.2.38.8.8.80x7352Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:31.936835051 CEST192.168.2.38.8.8.80x54b5Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:31.953711987 CEST192.168.2.38.8.4.40x3d0eStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:31.975235939 CEST192.168.2.38.8.8.80x1906Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:36.034465075 CEST192.168.2.38.8.8.80x875Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:36.050039053 CEST192.168.2.38.8.4.40xd11cStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:36.069166899 CEST192.168.2.38.8.8.80xbffStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:55.256452084 CEST192.168.2.38.8.8.80xea5Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:55.300771952 CEST192.168.2.38.8.4.40xa266Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:55.320933104 CEST192.168.2.38.8.8.80x2cc5Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:59.371862888 CEST192.168.2.38.8.8.80x93eeStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:59.523283958 CEST192.168.2.38.8.4.40x9120Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:59.544392109 CEST192.168.2.38.8.8.80xb47dStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:03.617001057 CEST192.168.2.38.8.8.80x61bStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:03.718733072 CEST192.168.2.38.8.4.40xf2afStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:03.884324074 CEST192.168.2.38.8.8.80xd41fStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:23.072074890 CEST192.168.2.38.8.8.80xe1b4Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:23.088762999 CEST192.168.2.38.8.4.40x802dStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:23.119174957 CEST192.168.2.38.8.8.80x9fffStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:27.210969925 CEST192.168.2.38.8.8.80x47c9Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:27.227534056 CEST192.168.2.38.8.4.40xb168Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:27.246526957 CEST192.168.2.38.8.8.80x735eStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:31.314162016 CEST192.168.2.38.8.8.80x5f8fStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:31.333368063 CEST192.168.2.38.8.4.40x9f83Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:31.361603975 CEST192.168.2.38.8.8.80xa6d0Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:50.875526905 CEST192.168.2.38.8.8.80xb830Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:50.915549994 CEST192.168.2.38.8.4.40xef2aStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:50.934480906 CEST192.168.2.38.8.8.80x3da4Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:54.999332905 CEST192.168.2.38.8.8.80x5778Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:55.019088030 CEST192.168.2.38.8.4.40x37c1Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:55.068900108 CEST192.168.2.38.8.8.80xba8fStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:59.121402979 CEST192.168.2.38.8.8.80x575bStandard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:59.137598991 CEST192.168.2.38.8.4.40xe731Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:59.164417982 CEST192.168.2.38.8.8.80x9055Standard query (0)marquinhos-36228.portmap.hostA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Jul 21, 2021 18:08:59.189044952 CEST8.8.8.8192.168.2.30x7d2Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:08:59.248064995 CEST8.8.4.4192.168.2.30x9d21Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:08:59.278369904 CEST8.8.8.8192.168.2.30x65dName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:03.404673100 CEST8.8.8.8192.168.2.30xff3eName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:03.446898937 CEST8.8.4.4192.168.2.30x776Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:03.468732119 CEST8.8.8.8192.168.2.30xbfccName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:07.620855093 CEST8.8.8.8192.168.2.30xe9c2Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:07.724493980 CEST8.8.4.4192.168.2.30x1659Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:07.812117100 CEST8.8.8.8192.168.2.30x2a7Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:27.625359058 CEST8.8.8.8192.168.2.30x4ee9Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:27.642312050 CEST8.8.4.4192.168.2.30x1d6eName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:27.840261936 CEST8.8.8.8192.168.2.30x7352Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:31.950519085 CEST8.8.8.8192.168.2.30x54b5Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:31.967222929 CEST8.8.4.4192.168.2.30x3d0eName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:31.988960028 CEST8.8.8.8192.168.2.30x1906Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:36.047396898 CEST8.8.8.8192.168.2.30x875Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:36.063028097 CEST8.8.4.4192.168.2.30xd11cName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:36.082801104 CEST8.8.8.8192.168.2.30xbffName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:55.269335985 CEST8.8.8.8192.168.2.30xea5Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:55.314256907 CEST8.8.4.4192.168.2.30xa266Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:55.334157944 CEST8.8.8.8192.168.2.30x2cc5Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:59.384891987 CEST8.8.8.8192.168.2.30x93eeName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:59.538171053 CEST8.8.4.4192.168.2.30x9120Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:09:59.559184074 CEST8.8.8.8192.168.2.30xb47dName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:03.630134106 CEST8.8.8.8192.168.2.30x61bName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:03.733841896 CEST8.8.4.4192.168.2.30xf2afName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:03.898324013 CEST8.8.8.8192.168.2.30xd41fName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:23.085443020 CEST8.8.8.8192.168.2.30xe1b4Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:23.102976084 CEST8.8.4.4192.168.2.30x802dName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:23.133109093 CEST8.8.8.8192.168.2.30x9fffName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:27.224175930 CEST8.8.8.8192.168.2.30x47c9Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:27.239530087 CEST8.8.4.4192.168.2.30xb168Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:27.259665012 CEST8.8.8.8192.168.2.30x735eName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:31.327352047 CEST8.8.8.8192.168.2.30x5f8fName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:31.346574068 CEST8.8.4.4192.168.2.30x9f83Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:31.374669075 CEST8.8.8.8192.168.2.30xa6d0Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:50.889142036 CEST8.8.8.8192.168.2.30xb830Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:50.928364038 CEST8.8.4.4192.168.2.30xef2aName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:50.948419094 CEST8.8.8.8192.168.2.30x3da4Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:55.013149977 CEST8.8.8.8192.168.2.30x5778Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:55.031843901 CEST8.8.4.4192.168.2.30x37c1Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:55.083175898 CEST8.8.8.8192.168.2.30xba8fName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:59.134984970 CEST8.8.8.8192.168.2.30x575bName error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:59.150541067 CEST8.8.4.4192.168.2.30xe731Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)
            Jul 21, 2021 18:10:59.177824974 CEST8.8.8.8192.168.2.30x9055Name error (3)marquinhos-36228.portmap.hostnonenoneA (IP address)IN (0x0001)

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: yMI7.exe PID: 784 Parent PID: 5664

            General

            Start time:18:08:55
            Start date:21/07/2021
            Path:C:\Users\user\Desktop\yMI7.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\yMI7.exe'
            Imagebase:0xba0000
            File size:486400 bytes
            MD5 hash:39121091956F8934B1C73041EE1CC90F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.203043099.0000000000BA2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: dhcpmon.exe PID: 4188 Parent PID: 3388

            General

            Start time:18:09:09
            Start date:21/07/2021
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
            Imagebase:0x720000
            File size:486400 bytes
            MD5 hash:39121091956F8934B1C73041EE1CC90F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.234012520.0000000000722000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.251432444.0000000000722000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.252582895.0000000003E41000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.252582895.0000000003E41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.252465646.0000000002E41000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.252465646.0000000002E41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            • Detection: 80%, Virustotal, Browse
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >