Loading ...

Play interactive tourEdit tour

Windows Analysis Report gXcRJ8123G.exe

Overview

General Information

Sample Name:gXcRJ8123G.exe
Analysis ID:452188
MD5:767e1c497ff0d617de66c2d8ece44c49
SHA1:118e1e764cd05b98c631bb9a5687acae94f208e1
SHA256:f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gXcRJ8123G.exe (PID: 1700 cmdline: 'C:\Users\user\Desktop\gXcRJ8123G.exe' MD5: 767E1C497FF0D617DE66C2D8ECE44C49)
    • schtasks.exe (PID: 6092 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4108 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • gXcRJ8123G.exe (PID: 1872 cmdline: C:\Users\user\Desktop\gXcRJ8123G.exe 0 MD5: 767E1C497FF0D617DE66C2D8ECE44C49)
  • dhcpmon.exe (PID: 2944 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 767E1C497FF0D617DE66C2D8ECE44C49)
  • dhcpmon.exe (PID: 5700 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 767E1C497FF0D617DE66C2D8ECE44C49)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "03e670ce-e449-4fbc-8c90-b68dc609", "Group": "Scammer", "Domain1": "188.141.118.122", "Domain2": "188.141.118.122", "Port": 6666, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
gXcRJ8123G.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
gXcRJ8123G.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
gXcRJ8123G.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    gXcRJ8123G.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0x23ba3:$a: NanoCore
          • 0x23bfc:$a: NanoCore
          • 0x23c39:$a: NanoCore
          • 0x23cb2:$a: NanoCore
          • 0x23c05:$b: ClientPlugin
          • 0x23c42:$b: ClientPlugin
          • 0x24540:$b: ClientPlugin
          • 0x2454d:$b: ClientPlugin
          • 0x1b919:$e: KeepAlive
          • 0x2408d:$g: LogClientMessage
          • 0x2400d:$i: get_Connected
          • 0x15bd5:$j: #=q
          • 0x15c05:$j: #=q
          • 0x15c41:$j: #=q
          • 0x15c69:$j: #=q
          • 0x15c99:$j: #=q
          • 0x15cc9:$j: #=q
          • 0x15cf9:$j: #=q
          • 0x15d29:$j: #=q
          • 0x15d45:$j: #=q
          • 0x15d75:$j: #=q
          Click to see the 41 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.3.gXcRJ8123G.exe.420dc45.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x605:$x1: NanoCore.ClientPluginHost
          • 0x3bd6:$x1: NanoCore.ClientPluginHost
          • 0x63e:$x2: IClientNetworkHost
          0.3.gXcRJ8123G.exe.420dc45.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0x605:$x2: NanoCore.ClientPluginHost
          • 0x3bd6:$x2: NanoCore.ClientPluginHost
          • 0x720:$s4: PipeCreated
          • 0x3cb4:$s4: PipeCreated
          • 0x61f:$s5: IClientLoggingHost
          • 0x3bf0:$s5: IClientLoggingHost
          5.2.gXcRJ8123G.exe.36930ed.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xb184:$x1: NanoCore.ClientPluginHost
          • 0x24170:$x1: NanoCore.ClientPluginHost
          • 0xb1b1:$x2: IClientNetworkHost
          • 0x2419d:$x2: IClientNetworkHost
          5.2.gXcRJ8123G.exe.36930ed.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xb184:$x2: NanoCore.ClientPluginHost
          • 0x24170:$x2: NanoCore.ClientPluginHost
          • 0xc25f:$s4: PipeCreated
          • 0x2524b:$s4: PipeCreated
          • 0xb19e:$s5: IClientLoggingHost
          • 0x2418a:$s5: IClientLoggingHost
          5.2.gXcRJ8123G.exe.36930ed.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            Click to see the 75 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: gXcRJ8123G.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Found malware configurationShow sources
            Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "03e670ce-e449-4fbc-8c90-b68dc609", "Group": "Scammer", "Domain1": "188.141.118.122", "Domain2": "188.141.118.122", "Port": 6666, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: 188.141.118.122Virustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 84%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
            Multi AV Scanner detection for submitted fileShow sources
            Source: gXcRJ8123G.exeVirustotal: Detection: 84%Perma Link
            Source: gXcRJ8123G.exeReversingLabs: Detection: 100%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: gXcRJ8123G.exe, type: SAMPLE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Machine Learning detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: gXcRJ8123G.exeJoe Sandbox ML: detected
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 7.2.dhcpmon.exe.780000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 6.2.dhcpmon.exe.390000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 6.0.dhcpmon.exe.390000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 7.0.dhcpmon.exe.780000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: gXcRJ8123G.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: 188.141.118.122
            Source: global trafficTCP traffic: 192.168.2.6:49718 -> 188.141.118.122:6666
            Source: Joe Sandbox ViewASN Name: LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpString found in binary or memory: http://google.com
            Source: gXcRJ8123G.exe, 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: gXcRJ8123G.exe, type: SAMPLE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: