Loading ...

Play interactive tourEdit tour

Windows Analysis Report Document.1-xml.eml.exe

Overview

General Information

Sample Name:Document.1-xml.eml.exe
Analysis ID:452441
MD5:4d48e3cbfc19b5729b6c7a968a957805
SHA1:4863e913b2e5709d9ed8c5937ae046e2edeee152
SHA256:45cf5d850ca6806fd9b55ef35a2ebe8aa2d9b724b67f96eac270c44d1a85e810
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Document.1-xml.eml.exe (PID: 6608 cmdline: 'C:\Users\user\Desktop\Document.1-xml.eml.exe' MD5: 4D48E3CBFC19B5729B6C7A968A957805)
    • Document.1-xml.eml.exe (PID: 5768 cmdline: 'C:\Users\user\Desktop\Document.1-xml.eml.exe' MD5: 4D48E3CBFC19B5729B6C7A968A957805)
      • schtasks.exe (PID: 5796 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A3F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5720 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DCA.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Document.1-xml.eml.exe (PID: 5540 cmdline: C:\Users\user\Desktop\Document.1-xml.eml.exe 0 MD5: 4D48E3CBFC19B5729B6C7A968A957805)
  • dhcpmon.exe (PID: 5556 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 4D48E3CBFC19B5729B6C7A968A957805)
  • dhcpmon.exe (PID: 5608 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 4D48E3CBFC19B5729B6C7A968A957805)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ec07ca6b-08b1-47be-b65b-f4ac1e81", "Group": "alozzzz", "Domain1": "194.5.98.136", "Domain2": "", "Port": 2888, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.Document.1-xml.eml.exe.5050000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      15.2.Document.1-xml.eml.exe.5050000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      0.2.Document.1-xml.eml.exe.5915a0.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.Document.1-xml.eml.exe.5915a0.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.Document.1-xml.eml.exe.5915a0.1.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 41 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Document.1-xml.eml.exe, ProcessId: 5768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Document.1-xml.eml.exe, ProcessId: 5768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Document.1-xml.eml.exe, ProcessId: 5768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Document.1-xml.eml.exe, ProcessId: 5768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000F.00000002.924630766.00000000036DF000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ec07ca6b-08b1-47be-b65b-f4ac1e81", "Group": "alozzzz", "Domain1": "194.5.98.136", "Domain2": "", "Port": 2888, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 19%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Document.1-xml.eml.exeReversingLabs: Detection: 19%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.924630766.00000000036DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORY
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpackAvira: Label: TR/NanoCore.fadte
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpackAvira: Label: TR/NanoCore.fadte

        Compliance:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeUnpacked PE file: 15.2.Document.1-xml.eml.exe.400000.0.unpack
        Source: Document.1-xml.eml.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dllJump to behavior
        Source: Binary string: \??\C:\Windows\dll\System.pdb| source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\System.pdbxx source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb0 source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\dll\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: System.pdb H source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: 1hoC:\Windows\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: p}}bsymbols\dll\System.pdb} source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: r`indows\System.pdbpdbtem.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\assembly\GA.pdbL\System\2.0.0.0__b77a5c561934e089\System.dll source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.920175519.0000000000824000.00000004.00000020.sdmp
        Source: Binary string: C:\Windows\symbols\dll\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.919751533.0000000000605000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.925573680.0000000005A8C000.00000004.00000001.sdmp
        Source: Binary string: mscorrc.pdb source: Document.1-xml.eml.exe, 0000000F.00000002.925330662.0000000004FF0000.00000002.00000001.sdmp
        Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: Document.1-xml.eml.exe, 0000000F.00000003.897541531.0000000000862000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\SysWOW64\KERNELBASE.dllJump to behavior
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\SysWOW64\MSCOREE.DLLJump to behavior
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90Jump to behavior
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17134.1_none_8ef454a057103afaJump to behavior
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\SysWOW64\KERNEL32.dllJump to behavior
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dllJump to behavior

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49759 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49760 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49761 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49762 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49764 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49765 -> 194.5.98.136:2888
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 194.5.98.136:2888
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: 194.5.98.136
        Source: global trafficTCP traffic: 192.168.2.4:49759 -> 194.5.98.136:2888
        Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.136
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_04912E3E WSARecv,15_2_04912E3E
        Source: dhcpmon.exe, 00000016.00000002.908498339.00000000006F8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.924630766.00000000036DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 15.2.Document.1-xml.eml.exe.5050000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.Document.1-xml.eml.exe.2691280.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: Document.1-xml.eml.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Document.1-xml.eml.exe
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_049116DA NtQuerySystemInformation,15_2_049116DA
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_0491169F NtQuerySystemInformation,15_2_0491169F
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F385015_2_047F3850
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F89D815_2_047F89D8
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047FB2A815_2_047FB2A8
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F2FA815_2_047F2FA8
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F23A015_2_047F23A0
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F306F15_2_047F306F
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F95D815_2_047F95D8
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: 15_2_047F969F15_2_047F969F
        Source: C:\Users\user\Desktop\Document.1-xml.eml.exeCode function: String function: 02410590 appears 43 times
        Source: Document.1-xml.eml.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Document.1-xml.eml.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.920117885.00000000007DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925330662.0000000004FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925621310.0000000005BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925039372.0000000004900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exe, 00000015.00000002.910716613.0000000000658000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Document.1-xml.eml.exe
        Source: Document.1-xml.eml.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
        Source: 15.2.Document.1-xml.eml.exe.5050000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.5050000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.52f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.4a315a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Document.1-xml.eml.exe.5915a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.36e7a58.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.4a315a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.1.Document.1-xml.eml.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.36ec081.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.52f4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.Document.1-xml.eml.exe.2691280.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.Document.1-xml.eml.exe.2691280.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.925419136.00000000052F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000001.798397653.0000000000402000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.920655306.0000000004A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.917015310.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.925370927.0000000005050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.799147726.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5608, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Document.1-xml.eml.exe PID: 5768, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stat