Loading ...

Play interactive tourEdit tour

Windows Analysis Report IDeVaZ8ESy.exe

Overview

General Information

Sample Name:IDeVaZ8ESy.exe
Analysis ID:452411
MD5:b0876b8da9dcb8a3b22d2cbf2b6a4711
SHA1:80e619da78e64bf6845f284c50bfacf17c55a274
SHA256:d6215a4b16d74db6dafc28a78f15885de77570347acfbac416f18b223ba08e26
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • IDeVaZ8ESy.exe (PID: 5976 cmdline: 'C:\Users\user\Desktop\IDeVaZ8ESy.exe' MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
    • IDeVaZ8ESy.exe (PID: 1384 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
    • IDeVaZ8ESy.exe (PID: 5056 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
      • schtasks.exe (PID: 6064 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • IDeVaZ8ESy.exe (PID: 5972 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe 0 MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
    • IDeVaZ8ESy.exe (PID: 1276 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "0bb207a5-6f92-4ff1-abb5-35e0dc25", "Group": "AUGUST", "Domain1": "asweee.jumpingcrab.com", "Domain2": "tryweaswweee.ydns.eu", "Port": 8234, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "asweee.jumpingcrab.com", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x57b01:$x1: NanoCore.ClientPluginHost
    • 0x57b3e:$x2: IClientNetworkHost
    • 0x5b671:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x57869:$a: NanoCore
    • 0x57879:$a: NanoCore
    • 0x57aad:$a: NanoCore
    • 0x57ac1:$a: NanoCore
    • 0x57b01:$a: NanoCore
    • 0x578c8:$b: ClientPlugin
    • 0x57aca:$b: ClientPlugin
    • 0x57b0a:$b: ClientPlugin
    • 0x579ef:$c: ProjectData
    • 0x583f6:$d: DESCrypto
    • 0x59fab:$i: get_Connected
    • 0x5872c:$j: #=q
    • 0x5875c:$j: #=q
    • 0x58778:$j: #=q
    • 0x587a8:$j: #=q
    • 0x587c4:$j: #=q
    • 0x587e0:$j: #=q
    • 0x58810:$j: #=q
    • 0x5882c:$j: #=q
    • 0x58870:$j: #=q
    • 0x5888c:$j: #=q
    Click to see the 22 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    12.2.IDeVaZ8ESy.exe.3df0614.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    12.2.IDeVaZ8ESy.exe.3df0614.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    12.2.IDeVaZ8ESy.exe.3df0614.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x287b9:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x287e6:$x2: IClientNetworkHost
      12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x287b9:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x29894:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x287d3:$s5: IClientLoggingHost
      Click to see the 28 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "0bb207a5-6f92-4ff1-abb5-35e0dc25", "Group": "AUGUST", "Domain1": "asweee.jumpingcrab.com", "Domain2": "tryweaswweee.ydns.eu", "Port": 8234, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "asweee.jumpingcrab.com", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeVirustotal: Detection: 23%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeMetadefender: Detection: 20%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeReversingLabs: Detection: 32%
      Multi AV Scanner detection for submitted fileShow sources
      Source: IDeVaZ8ESy.exeVirustotal: Detection: 23%Perma Link
      Source: IDeVaZ8ESy.exeMetadefender: Detection: 20%Perma Link
      Source: IDeVaZ8ESy.exeReversingLabs: Detection: 32%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: IDeVaZ8ESy.exeJoe Sandbox ML: detected
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: IDeVaZ8ESy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: IDeVaZ8ESy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49709 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49722 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49723 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 37.0.8.214:8234
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: tryweaswweee.ydns.eu
      Source: Malware configuration extractorURLs: asweee.jumpingcrab.com
      Source: global trafficTCP traffic: 192.168.2.3:49709 -> 37.0.8.214:8234
      Source: unknownDNS traffic detected: queries for: asweee.jumpingcrab.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.2e09668.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeCode function: 1_2_018CC2241_2_018CC224
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeCode function: 1_2_018CE5E11_2_018CE5E1
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeCode function: 1_2_018CE5F01_2_018CE5F0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0091C22410_2_0091C224
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0091E5F010_2_0091E5F0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0091E5E210_2_0091E5E2
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0655160010_2_06551600
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_06556FA810_2_06556FA8
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0655410F10_2_0655410F
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_065515F010_2_065515F0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_07037FA010_2_07037FA0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_0137E47112_2_0137E471
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_0137E48012_2_0137E480
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_0137BBD412_2_0137BBD4
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_01379EA812_2_01379EA8
      Source: IDeVaZ8ESy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: IDeVaZ8ESy.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: IDeVaZ8ESy.exe, 00000001.00000003.241816461.0000000007F51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.259661598.0000000007A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNlljmbtp.dll" vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000003.238305194.000000000429A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCdmugmphdzemkomhbdp.dllH vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.259352009.00000000078F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.252510635.0000000003271000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.259331908.00000000078E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000005.00000002.247120178.000000000032A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000006.00000000.249621020.000000000092A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000006.00000003.262207809.00000000010D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.301424388.0000000006A10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000003.272026021.0000000003B2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNlljmbtp.dll" vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000000.259450434.000000000017A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.279145617.000000000093A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.301092213.0000000006510000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282775886.0000000003591000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCdmugmphdzemkomhbdp.dllH vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.302461302.0000000005320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000000.274586312.00000000009BA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exeBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.2e09668.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.2e09668.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: IDeVaZ8ESy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: IDeVaZ8ESy.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@11/9@16/1
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IDeVaZ8ESy.exe.logJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{0bb207a5-6f92-4ff1-abb5-35e0dc25fe5d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_01
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to behavior
      Source: IDeVaZ8ESy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: IDeVaZ8ESy.exeVirustotal: Detection: 23%
      Source: IDeVaZ8ESy.exeMetadefender: Detection: 20%
      Source: IDeVaZ8ESy.exeReversingLabs: Detection: 32%
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile read: C:\Users\user\Desktop\IDeVaZ8ESy.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\IDeVaZ8ESy.exe 'C:\Users\user\Desktop\IDeVaZ8ESy.exe'
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'
      Source: C:\Windows\SysWOW64\scht