Loading ...

Play interactive tourEdit tour

Windows Analysis Report mNgTZMYBA8

Overview

General Information

Sample Name:mNgTZMYBA8 (renamed file extension from none to exe)
Analysis ID:483162
MD5:19665f929613c0e945ff13dd25c9362e
SHA1:7c68cdd329f0af85782a4b567f9fa37928f942e8
SHA256:d21eca1ae974ef45b254c64420a069072ce32fce6c191b526d9e81ecfa4537ff
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • mNgTZMYBA8.exe (PID: 6516 cmdline: 'C:\Users\user\Desktop\mNgTZMYBA8.exe' MD5: 19665F929613C0E945FF13DD25C9362E)
    • schtasks.exe (PID: 6880 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RWbqWnnjDWI' /XML 'C:\Users\user\AppData\Local\Temp\tmp30BB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6896 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 6960 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF15E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 7036 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF892.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 7060 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6200 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 3436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 3292 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "Default", "Domain1": "blackbladeinc52.ddns.net", "Domain2": "Backup Connection Host", "Port": 1664, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.484771040.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.484771040.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000007.00000002.484771040.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000000.00000002.255596387.000000000A54E000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10c05:$x1: NanoCore.ClientPluginHost
    • 0x10c42:$x2: IClientNetworkHost
    • 0x14775:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.255596387.000000000A54E000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 12 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.mNgTZMYBA8.exe.a4294b8.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.mNgTZMYBA8.exe.a4294b8.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.mNgTZMYBA8.exe.a4294b8.7.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.mNgTZMYBA8.exe.a4294b8.7.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        7.2.RegSvcs.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 9 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6896, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6896, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
        Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\mNgTZMYBA8.exe' , ParentImage: C:\Users\user\Desktop\mNgTZMYBA8.exe, ParentProcessId: 6516, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6896
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\mNgTZMYBA8.exe' , ParentImage: C:\Users\user\Desktop\mNgTZMYBA8.exe, ParentProcessId: 6516, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6896

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6896, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6896, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "Default", "Domain1": "blackbladeinc52.ddns.net", "Domain2": "Backup Connection Host", "Port": 1664, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: mNgTZMYBA8.exeVirustotal: Detection: 35%Perma Link
        Source: mNgTZMYBA8.exeReversingLabs: Detection: 39%
        Multi AV Scanner detection for domain / URLShow sources
        Source: blackbladeinc52.ddns.netVirustotal: Detection: 10%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\RWbqWnnjDWI.exeReversingLabs: Detection: 39%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0.2.mNgTZMYBA8.exe.a4294b8.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.mNgTZMYBA8.exe.a4294b8.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000007.00000002.484771040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255596387.000000000A54E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.254602570.000000000A391000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: mNgTZMYBA8.exe PID: 6516, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6896, type: MEMORYSTR
        Machine Learning detection for sampleShow sources
        Source: mNgTZMYBA8.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\RWbqWnnjDWI.exeJoe Sandbox ML: detected
        Source: 7.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: mNgTZMYBA8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: mNgTZMYBA8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000007.00000002.490885257.00000000028A5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.490885257.00000000028A5000.00000004.00000040.sdmp
        Source: Binary string: ib.pdb source: RegSvcs.exe, 00000007.00000002.487863512.0000000000B94000.00000004.00000020.sdmp
        Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000007.00000002.490885257.00000000028A5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.490885257.00000000028A5000.00000004.00000040.sdmp
        Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.7.dr
        Source: Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000007.00000002.490885257.00000000028A5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000007.00000002.490885257.00000000028A5000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: RegSvcs.exe, 00000007.00000002.490885257.00000000028A5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000002.490885257.00000000028A5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\System.pdb source: RegSvcs.exe, 00000007.00000002.490885257.00000000028A5000.00000004.00000040.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: blackbladeinc52.ddns.net
        Source: Malware configuration extractorURLs: Backup Connection Host
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: blackbladeinc52.ddns.net
        Source: unknownDNS traffic detected: query: blackbladeinc52.ddns.net replaycode: Name error (3)
        Source: mNgTZMYBA8.exe, 00000000.00000003.221328442.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://en.wVl
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: mNgTZMYBA8.exe, 00000000.00000002.243982776.0000000000E07000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
        Source: mNgTZMYBA8.exe, 00000000.00000002.243982776.0000000000E07000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: mNgTZMYBA8.exe, 00000000.00000003.222393757.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html4
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: mNgTZMYBA8.exe, 00000000.00000003.225415278.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: mNgTZMYBA8.exe, 00000000.00000003.225415278.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com(
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: mNgTZMYBA8.exe, 00000000.00000003.223190680.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: mNgTZMYBA8.exe, 00000000.00000003.224673432.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: mNgTZMYBA8.exe, 00000000.00000003.224673432.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlP)i
        Source: mNgTZMYBA8.exe, 00000000.00000003.223800153.00000000056BB000.00000004.00000001.sdmp, mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: mNgTZMYBA8.exe, 00000000.00000003.223800153.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlX
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: mNgTZMYBA8.exe, 00000000.00000003.225415278.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
        Source: mNgTZMYBA8.exe, 00000000.00000003.224064301.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: mNgTZMYBA8.exe, 00000000.00000003.225415278.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTF
        Source: mNgTZMYBA8.exe, 00000000.00000003.225415278.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTFd
        Source: mNgTZMYBA8.exe, 00000000.00000003.229303708.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: mNgTZMYBA8.exe, 00000000.00000003.225415278.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma_
        Source: mNgTZMYBA8.exe, 00000000.00000003.225415278.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
        Source: mNgTZMYBA8.exe, 00000000.00000003.223680724.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
        Source: mNgTZMYBA8.exe, 00000000.00000003.223680724.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdfetm
        Source: mNgTZMYBA8.exe, 00000000.00000003.223523410.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdm
        Source: mNgTZMYBA8.exe, 00000000.00000003.223680724.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
        Source: mNgTZMYBA8.exe, 00000000.00000003.225415278.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
        Source: mNgTZMYBA8.exe, 00000000.00000003.229303708.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicta
        Source: mNgTZMYBA8.exe, 00000000.00000003.224064301.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldTF
        Source: mNgTZMYBA8.exe, 00000000.00000003.229303708.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comma
        Source: mNgTZMYBA8.exe, 00000000.00000003.223680724.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
        Source: mNgTZMYBA8.exe, 00000000.00000003.224673432.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsief
        Source: mNgTZMYBA8.exe, 00000000.00000003.223245815.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comz
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: mNgTZMYBA8.exe, 00000000.00000003.226465597.00000000056BB000.00000004.00000001.sdmp, mNgTZMYBA8.exe, 00000000.00000003.226414825.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: mNgTZMYBA8.exe, 00000000.00000003.226414825.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/AiU
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: mNgTZMYBA8.exe, 00000000.00000003.226465597.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/_
        Source: mNgTZMYBA8.exe, 00000000.00000002.247190143.0000000005690000.00000004.00000001.sdmp, mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: mNgTZMYBA8.exe, 00000000.00000003.221593951.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: mNgTZMYBA8.exe, 00000000.00000003.221918401.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
        Source: mNgTZMYBA8.exe, 00000000.00000003.222352641.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
        Source: mNgTZMYBA8.exe, 00000000.00000003.221593951.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Kurs
        Source: mNgTZMYBA8.exe, 00000000.00000003.222645708.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
        Source: mNgTZMYBA8.exe, 00000000.00000003.221918401.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
        Source: mNgTZMYBA8.exe, 00000000.00000003.221918401.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: mNgTZMYBA8.exe, 00000000.00000003.221918401.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/m
        Source: mNgTZMYBA8.exe, 00000000.00000003.222645708.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/s
        Source: mNgTZMYBA8.exe, 00000000.00000003.221918401.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lic
        Source: mNgTZMYBA8.exe, 00000000.00000003.221593951.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/m
        Source: mNgTZMYBA8.exe, 00000000.00000003.222133584.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
        Source: mNgTZMYBA8.exe, 00000000.00000003.223680724.00000000056BB000.00000004.00000001.sdmp, mNgTZMYBA8.exe, 00000000.00000003.229157227.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: mNgTZMYBA8.exe, 00000000.00000003.222444247.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: mNgTZMYBA8.exe, 00000000.00000003.222444247.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-t
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: mNgTZMYBA8.exe, 00000000.00000002.247401433.0000000006922000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: mNgTZMYBA8.exe, 00000000.00000003.221145692.00000000056BD000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: mNgTZMYBA8.exe, 00000000.00000003.221145692.00000000056BD000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
        Source: mNgTZMYBA8.exe, 00000000.00000003.221145692.00000000056BD000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-t
        Source: unknownDNS traffic detected: queries for: blackbladeinc52.ddns.net
        Source: mNgTZMYBA8.exe, 00000000.00000002.243887851.0000000000DA0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0.2.mNgTZMYBA8.exe.a4294b8.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.mNgTZMYBA8.exe.a4294b8.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000007.00000002.484771040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255596387.000000000A54E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.254602570.000000000A391000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: mNgTZMYBA8.exe PID: 6516, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6896, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.RegSvcs.exe.2c016e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.484771040.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.484771040.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.255596387.000000000A54E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255596387.000000000A54E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.254602570.000000000A391000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.254602570.000000000A391000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: mNgTZMYBA8.exe PID: 6516, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: mNgTZMYBA8.exe PID: 6516, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 6896, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 6896, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        .NET source code contains very large stringsShow sources
        Source: mNgTZMYBA8.exe, ConsoleGame/Form1.csLong String: Length: 50988
        Source: RWbqWnnjDWI.exe.0.dr, ConsoleGame/Form1.csLong String: Length: 50988
        Source: 0.0.mNgTZMYBA8.exe.630000.0.unpack, ConsoleGame/Form1.csLong String: Length: 50988
        Source: 0.2.mNgTZMYBA8.exe.630000.0.unpack, ConsoleGame/Form1.csLong String: Length: 50988
        Source: mNgTZMYBA8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.mNgTZMYBA8.exe.a4294b8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.RegSvcs.exe.2c016e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.RegSvcs.exe.2c016e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000007.00000002.484771040.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.484771040.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.255596387.000000000A54E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255596387.000000000A54E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.254602570.000000000A391000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.254602570.000000000A391000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: mNgTZMYBA8.exe PID: 6516, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: mNgTZMYBA8.exe PID: 6516, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 6896, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 6896, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111D9100_2_0111D910
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111E1580_2_0111E158
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111DD750_2_0111DD75
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111E57A0_2_0111E57A
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011171800_2_01117180
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111B4300_2_0111B430
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111638B0_2_0111638B
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011143A00_2_011143A0
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111AFA80_2_0111AFA8
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01113FE80_2_01113FE8
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111EBE80_2_0111EBE8
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01115A500_2_01115A50
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01113A980_2_01113A98
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01115EC00_2_01115EC0
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111D9010_2_0111D901
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111BD000_2_0111BD00
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111E1470_2_0111E147
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111C9700_2_0111C970
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111717B0_2_0111717B
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111C9800_2_0111C980
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011194280_2_01119428
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011190580_2_01119058
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011190480_2_01119048
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01113CF80_2_01113CF8
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01113CE90_2_01113CE9
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111BCEF0_2_0111BCEF
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111EF190_2_0111EF19
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111EF280_2_0111EF28
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01118B280_2_01118B28
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011147480_2_01114748
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011143910_2_01114391
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01113FD90_2_01113FD9
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111EBD80_2_0111EBD8
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111A7C80_2_0111A7C8
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01118E300_2_01118E30
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01118E400_2_01118E40
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01117E790_2_01117E79
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011192800_2_01119280
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_01117E880_2_01117E88
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011192880_2_01119288
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111C2A00_2_0111C2A0
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0111B6A00_2_0111B6A0
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0B6B00700_2_0B6B0070
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_0B6B00060_2_0B6B0006
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011101F10_2_011101F1
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_011102000_2_01110200
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 7_2_0285B2387_2_0285B238
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 7_2_028523A07_2_028523A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 7_2_02852FA87_2_02852FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 7_2_028538507_2_02853850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 7_2_028589D87_2_028589D8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 7_2_0285969F7_2_0285969F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 7_2_0285238F7_2_0285238F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 7_2_0285306F7_2_0285306F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 7_2_028595D87_2_028595D8
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_02991EE6 NtQuerySystemInformation,0_2_02991EE6
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_02991EC4 NtQuerySystemInformation,0_2_02991EC4
        Source: mNgTZMYBA8.exe, 00000000.00000002.246056735.0000000003E01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs mNgTZMYBA8.exe
        Source: mNgTZMYBA8.exe, 00000000.00000002.244649950.0000000002E01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs mNgTZMYBA8.exe
        Source: mNgTZMYBA8.exe, 00000000.00000002.243515092.00000000006B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameulo.exe8 vs mNgTZMYBA8.exe
        Source: mNgTZMYBA8.exe, 00000000.00000002.243887851.0000000000DA0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs mNgTZMYBA8.exe
        Source: mNgTZMYBA8.exeBinary or memory string: OriginalFilenameulo.exe8 vs mNgTZMYBA8.exe
        Source: mNgTZMYBA8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: RWbqWnnjDWI.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: mNgTZMYBA8.exeVirustotal: Detection: 35%
        Source: mNgTZMYBA8.exeReversingLabs: Detection: 39%
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeFile read: C:\Users\user\Desktop\mNgTZMYBA8.exeJump to behavior
        Source: mNgTZMYBA8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\mNgTZMYBA8.exe 'C:\Users\user\Desktop\mNgTZMYBA8.exe'
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RWbqWnnjDWI' /XML 'C:\Users\user\AppData\Local\Temp\tmp30BB.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF15E.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF892.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RWbqWnnjDWI' /XML 'C:\Users\user\AppData\Local\Temp\tmp30BB.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF15E.tmp'Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF892.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_02991D52 AdjustTokenPrivileges,0_2_02991D52
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeCode function: 0_2_02991D1B AdjustTokenPrivileges,0_2_02991D1B
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeFile created: C:\Users\user\AppData\Roaming\RWbqWnnjDWI.exeJump to behavior
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeFile created: C:\Users\user\AppData\Local\Temp\tmp30BB.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@18/14@45/1
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\mNgTZMYBA8.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp