Source: Yara match |
File source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.692921924.0000000003719000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Joe Sandbox ML: detected |
Source: C:\Users\Public\vbc.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe |
Joe Sandbox ML: detected |
Source: 9.2.sys30.exe.560000.3.unpack |
Avira: Label: TR/NanoCore.fadte |
Source: 9.2.sys30.exe.70000.0.unpack |
Avira: Label: TR/Dropper.Gen |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\Public\vbc.exe |
|
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\Public\vbc.exe |
Jump to behavior |
Source: unknown |
HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49166 version: TLS 1.0 |
Source: unknown |
HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49168 version: TLS 1.0 |
Source: unknown |
HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49170 version: TLS 1.0 |
Source: C:\Users\Public\vbc.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-08h] |
6_2_0038DB3F |
Source: C:\Users\Public\vbc.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-08h] |
6_2_0038BC70 |
Source: C:\Users\Public\vbc.exe |
Code function: 4x nop then jmp 00384610h |
6_2_00383D88 |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Code function: 4x nop then mov dword ptr [ebp-40h], 00000001h |
7_2_0038D750 |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-08h] |
7_2_0038BC70 |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Code function: 4x nop then jmp 00384610h |
7_2_00383D88 |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Code function: 4x nop then jmp 00C29F46h |
7_2_00C29E08 |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Code function: 4x nop then jmp 00C2B4CCh |
7_2_00C2B338 |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Code function: 4x nop then jmp 00C29F46h |
7_2_00C29DF9 |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Code function: 4x nop then jmp 00C2B4CCh |
7_2_00C2B328 |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-08h] |
9_2_0062F300 |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-08h] |
9_2_0062F2FD |
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-04h] |
9_2_00629A02 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 001D0797h |
11_2_001D0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 001D0797h |
11_2_001D0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 001C0797h |
12_2_001C0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 001C0797h |
12_2_001C0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00330797h |
13_2_00330560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00330797h |
13_2_00330550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 001F0797h |
14_2_001F0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 001F0797h |
14_2_001F0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00210797h |
15_2_00210560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00210797h |
15_2_00210550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 003A0797h |
16_2_003A0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 003A0797h |
16_2_003A0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 002E0797h |
17_2_002E0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 002E0797h |
17_2_002E0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 001E0797h |
18_2_001E0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 001E0797h |
18_2_001E0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 001D0797h |
19_2_001D0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 001D0797h |
19_2_001D0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00690797h |
20_2_00690560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00690797h |
20_2_00690550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00450797h |
21_2_00450560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00450797h |
21_2_00450550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00250797h |
22_2_00250560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00250797h |
22_2_00250550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 003F0797h |
23_2_003F0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 003F0797h |
23_2_003F0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00190797h |
24_2_00190560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00190797h |
24_2_00190550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 002F0797h |
25_2_002F0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 002F0797h |
25_2_002F0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 002D0797h |
26_2_002D0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 002D0797h |
26_2_002D0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00280797h |
27_2_00280560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00280797h |
27_2_00280550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00320797h |
28_2_00320560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00320797h |
28_2_00320550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 002C0797h |
29_2_002C0560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 002C0797h |
29_2_002C0550 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00220797h |
30_2_00220560 |
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe |
Code function: 4x nop then jmp 00220797h |
30_2_00220550 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49181 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49182 -> 194.5.98.103:5230 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49183 -> 194.5.98.103:5230 |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Sep 2021 19:48:11 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.9Last-Modified: Tue, 14 Sep 2021 18:45:13 GMTETag: "a2e00-5cbf8fb685aa3"Accept-Ranges: bytesContent-Length: 667136Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 90 60 7f 18 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 24 0a 00 00 08 00 00 00 00 00 00 ce 43 0a 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0a 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 43 0a 00 4b 00 00 00 00 60 0a 00 04 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 23 0a 00 00 20 00 00 00 24 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 04 04 00 00 00 60 0a 00 00 06 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0a 00 00 02 00 00 00 2c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 43 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 9c ec 08 00 e4 56 01 00 03 00 02 00 47 00 00 06 b8 79 01 00 e0 6b 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 20 9c 01 00 00 8d 01 00 00 01 25 d0 64 01 00 04 28 01 00 00 0a 80 65 01 00 04 20 94 00 00 00 8d 05 00 00 01 25 d0 66 01 00 04 28 01 00 00 0a 80 67 01 00 04 2a 1e 02 28 02 00 00 0a 2a 26 00 02 28 05 00 00 0a 00 2a ce 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 73 0a 00 00 0a 80 05 00 00 0 |