Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2FXSF6MXcV.exe

Overview

General Information

Sample Name:2FXSF6MXcV.exe
Analysis ID:509412
MD5:e13b24cda6737f13b2dc3f2c20d8823b
SHA1:b58a2436a4befb5b7465153a72f64fd17531644c
SHA256:f8ee546f04fa175fa9a8b1f3de8595bd0a4f6aebfeed50a95c5e309d49063e1e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Drops executable to a common third party application directory
Machine Learning detection for sample
.NET source code contains potential unpacker
Sigma detected: Suspicious Svchost Process
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 2FXSF6MXcV.exe (PID: 6132 cmdline: 'C:\Users\user\Desktop\2FXSF6MXcV.exe' MD5: E13B24CDA6737F13B2DC3F2C20D8823B)
    • svchost.exe (PID: 4936 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • 2FXSF6MXcV.exe (PID: 4936 cmdline: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe MD5: E13B24CDA6737F13B2DC3F2C20D8823B)
  • firefox.exe (PID: 5536 cmdline: 'C:\Users\user\AppData\Roaming\firefox.exe' MD5: E13B24CDA6737F13B2DC3F2C20D8823B)
  • firefox.exe (PID: 6312 cmdline: 'C:\Users\user\AppData\Roaming\firefox.exe' MD5: E13B24CDA6737F13B2DC3F2C20D8823B)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "9b8ed064-d4db-4d21-985f-e3763341", "Group": "OCT", "Domain1": "chongmei33.publicvm.com", "Domain2": "chongmei33.publicvm.com", "Port": 5569, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      19.0.2FXSF6MXcV.exe.400000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      19.0.2FXSF6MXcV.exe.400000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      19.0.2FXSF6MXcV.exe.400000.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        19.0.2FXSF6MXcV.exe.400000.6.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        19.2.2FXSF6MXcV.exe.65e4629.8.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xb184:$x1: NanoCore.ClientPluginHost
        • 0xb1b1:$x2: IClientNetworkHost
        Click to see the 74 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe, ProcessId: 4936, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe, ProcessId: 4936, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Suspicious Svchost ProcessShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\2FXSF6MXcV.exe' , ParentImage: C:\Users\user\Desktop\2FXSF6MXcV.exe, ParentProcessId: 6132, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, ProcessId: 4936
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\2FXSF6MXcV.exe' , ParentImage: C:\Users\user\Desktop\2FXSF6MXcV.exe, ParentProcessId: 6132, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, ProcessId: 4936

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe, ProcessId: 4936, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe, ProcessId: 4936, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000013.00000002.554569940.00000000043B9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9b8ed064-d4db-4d21-985f-e3763341", "Group": "OCT", "Domain1": "chongmei33.publicvm.com", "Domain2": "chongmei33.publicvm.com", "Port": 5569, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: 2FXSF6MXcV.exeReversingLabs: Detection: 33%
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: 2FXSF6MXcV.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\firefox.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
        Source: C:\Users\user\AppData\Roaming\firefox.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeReversingLabs: Detection: 33%
        Source: C:\Users\user\AppData\Local\Temp\firefox.exeReversingLabs: Detection: 33%
        Source: C:\Users\user\AppData\Roaming\firefox.exeReversingLabs: Detection: 33%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.4105530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.43a6a40.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bb116.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.4105530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e0000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2FXSF6MXcV.exe.43cea60.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.43a6a40.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2FXSF6MXcV.exe.43cea60.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43c4575.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.554569940.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 2FXSF6MXcV.exe PID: 6132, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: 2FXSF6MXcV.exe PID: 4936, type: MEMORYSTR
        Machine Learning detection for sampleShow sources
        Source: 2FXSF6MXcV.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\firefox.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\firefox.exeJoe Sandbox ML: detected
        Source: 0.0.2FXSF6MXcV.exe.ce0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 19.0.2FXSF6MXcV.exe.ff0000.5.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 19.0.2FXSF6MXcV.exe.ff0000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 24.0.firefox.exe.d80000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 19.2.2FXSF6MXcV.exe.65e0000.9.unpackAvira: Label: TR/NanoCore.fadte
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 19.0.2FXSF6MXcV.exe.ff0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 24.2.firefox.exe.d80000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 19.0.2FXSF6MXcV.exe.ff0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 19.2.2FXSF6MXcV.exe.ff0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 19.0.2FXSF6MXcV.exe.ff0000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 19.0.2FXSF6MXcV.exe.ff0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 21.0.firefox.exe.dd0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 19.0.2FXSF6MXcV.exe.ff0000.13.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 19.0.2FXSF6MXcV.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 19.0.2FXSF6MXcV.exe.ff0000.11.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 19.2.2FXSF6MXcV.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 19.0.2FXSF6MXcV.exe.ff0000.7.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 0.2.2FXSF6MXcV.exe.ce0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 2FXSF6MXcV.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: 2FXSF6MXcV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: chongmei33.publicvm.com
        Source: global trafficTCP traffic: 192.168.2.3:49833 -> 141.101.134.20:5569
        Source: 2FXSF6MXcV.exe, 00000013.00000002.552320568.00000000033C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: unknownDNS traffic detected: queries for: chongmei33.publicvm.com
        Source: 2FXSF6MXcV.exe, 00000000.00000002.414498393.000000000147A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: 2FXSF6MXcV.exe, 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.4105530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.43a6a40.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bb116.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.4105530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e0000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2FXSF6MXcV.exe.43cea60.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.43a6a40.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2FXSF6MXcV.exe.43cea60.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43c4575.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.554569940.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 2FXSF6MXcV.exe PID: 6132, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: 2FXSF6MXcV.exe PID: 4936, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.2FXSF6MXcV.exe.65e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.2FXSF6MXcV.exe.6530000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.2FXSF6MXcV.exe.3206ac4.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.2FXSF6MXcV.exe.3206ac4.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.2FXSF6MXcV.exe.3206ac4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.2FXSF6MXcV.exe.3206ac4.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.2FXSF6MXcV.exe.4105530.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.2FXSF6MXcV.exe.4105530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.2FXSF6MXcV.exe.65e0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.2FXSF6MXcV.exe.43bff4c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.2FXSF6MXcV.exe.43a6a40.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.2FXSF6MXcV.exe.43a6a40.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.2FXSF6MXcV.exe.33c87e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.2FXSF6MXcV.exe.43bb116.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.2FXSF6MXcV.exe.43bb116.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.2FXSF6MXcV.exe.4105530.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.2FXSF6MXcV.exe.4105530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.2FXSF6MXcV.exe.43bff4c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.2FXSF6MXcV.exe.65e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.0.2FXSF6MXcV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.0.2FXSF6MXcV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.2FXSF6MXcV.exe.43cea60.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.2FXSF6MXcV.exe.43cea60.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.2FXSF6MXcV.exe.43a6a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.2FXSF6MXcV.exe.43a6a40.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.2FXSF6MXcV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.2FXSF6MXcV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.2FXSF6MXcV.exe.43cea60.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.2FXSF6MXcV.exe.43cea60.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.2FXSF6MXcV.exe.43c4575.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000002.554569940.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.416883288.00000000031A3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.416883288.00000000031A3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000002.556187820.0000000006530000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: 2FXSF6MXcV.exe PID: 6132, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: 2FXSF6MXcV.exe PID: 6132, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: 2FXSF6MXcV.exe PID: 4936, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: 2FXSF6MXcV.exe PID: 4936, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2FXSF6MXcV.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.2FXSF6MXcV.exe.65e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.2FXSF6MXcV.exe.65e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.2FXSF6MXcV.exe.6530000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.2FXSF6MXcV.exe.6530000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.2FXSF6MXcV.exe.3206ac4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.2FXSF6MXcV.exe.3206ac4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.2FXSF6MXcV.exe.3206ac4.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.2FXSF6MXcV.exe.3206ac4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.2FXSF6MXcV.exe.3206ac4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.2FXSF6MXcV.exe.3206ac4.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.2FXSF6MXcV.exe.4105530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.2FXSF6MXcV.exe.4105530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.2FXSF6MXcV.exe.4105530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.2FXSF6MXcV.exe.65e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.2FXSF6MXcV.exe.65e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.2FXSF6MXcV.exe.43bff4c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.2FXSF6MXcV.exe.43bff4c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.2FXSF6MXcV.exe.43a6a40.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.2FXSF6MXcV.exe.43a6a40.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.2FXSF6MXcV.exe.43a6a40.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.2FXSF6MXcV.exe.33c87e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.2FXSF6MXcV.exe.33c87e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.2FXSF6MXcV.exe.43bb116.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.2FXSF6MXcV.exe.43bb116.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.2FXSF6MXcV.exe.43bb116.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.2FXSF6MXcV.exe.4105530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.2FXSF6MXcV.exe.4105530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.2FXSF6MXcV.exe.43bff4c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.2FXSF6MXcV.exe.43bff4c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.2FXSF6MXcV.exe.65e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.2FXSF6MXcV.exe.65e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.0.2FXSF6MXcV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.0.2FXSF6MXcV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.0.2FXSF6MXcV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.2FXSF6MXcV.exe.43cea60.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.2FXSF6MXcV.exe.43cea60.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.3.2FXSF6MXcV.exe.43cea60.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.2FXSF6MXcV.exe.43a6a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.2FXSF6MXcV.exe.43a6a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.2FXSF6MXcV.exe.43a6a40.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.2FXSF6MXcV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.2FXSF6MXcV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.2FXSF6MXcV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.2FXSF6MXcV.exe.43cea60.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.2FXSF6MXcV.exe.43cea60.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.3.2FXSF6MXcV.exe.43cea60.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.2FXSF6MXcV.exe.43c4575.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.2FXSF6MXcV.exe.43c4575.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000002.554569940.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.416883288.00000000031A3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.416883288.00000000031A3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000002.556187820.0000000006530000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000002.556187820.0000000006530000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: 2FXSF6MXcV.exe PID: 6132, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: 2FXSF6MXcV.exe PID: 6132, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: 2FXSF6MXcV.exe PID: 4936, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: 2FXSF6MXcV.exe PID: 4936, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeCode function: 0_2_017097300_2_01709730
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeCode function: 0_2_017016300_2_01701630
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeCode function: 0_2_017016020_2_01701602
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeCode function: 19_2_031AE47119_2_031AE471
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeCode function: 19_2_031AE48019_2_031AE480
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeCode function: 19_2_031ABBD419_2_031ABBD4
        Source: C:\Users\user\AppData\Roaming\firefox.exeCode function: 24_2_02F6973024_2_02F69730
        Source: C:\Users\user\AppData\Roaming\firefox.exeCode function: 24_2_02F6163024_2_02F61630
        Source: C:\Users\user\AppData\Roaming\firefox.exeCode function: 24_2_02F6162124_2_02F61621
        Source: 2FXSF6MXcV.exe, 00000000.00000002.416043989.0000000003101000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs 2FXSF6MXcV.exe
        Source: 2FXSF6MXcV.exe, 00000000.00000000.280082368.0000000000D4C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp1.exe0 vs 2FXSF6MXcV.exe
        Source: 2FXSF6MXcV.exe, 00000000.00000002.414498393.000000000147A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2FXSF6MXcV.exe
        Source: 2FXSF6MXcV.exe, 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePunqmksnbc.dll" vs 2FXSF6MXcV.exe
        Source: 2FXSF6MXcV.exe, 00000013.00000000.411915477.000000000105C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp1.exe0 vs 2FXSF6MXcV.exe
        Source: 2FXSF6MXcV.exe, 00000013.00000002.556291147.00000000065D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 2FXSF6MXcV.exe
        Source: 2FXSF6MXcV.exe, 00000013.00000002.552320568.00000000033C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 2FXSF6MXcV.exe
        Source: 2FXSF6MXcV.exe, 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 2FXSF6MXcV.exe
        Source: 2FXSF6MXcV.exeBinary or memory string: OriginalFilenameConsoleApp1.exe0 vs 2FXSF6MXcV.exe
        Source: 2FXSF6MXcV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: 2FXSF6MXcV.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: firefox.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: 2FXSF6MXcV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 2FXSF6MXcV.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: firefox.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 2FXSF6MXcV.exeReversingLabs: Detection: 33%
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeFile read: C:\Users\user\Desktop\2FXSF6MXcV.exeJump to behavior
        Source: 2FXSF6MXcV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\2FXSF6MXcV.exe 'C:\Users\user\Desktop\2FXSF6MXcV.exe'
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess created: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\firefox.exe 'C:\Users\user\AppData\Roaming\firefox.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\firefox.exe 'C:\Users\user\AppData\Roaming\firefox.exe'
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -pJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeFile created: C:\Users\user\AppData\Roaming\firefox.exeJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeFile created: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@4/1
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: 2FXSF6MXcV.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9b8ed064-d4db-4d21-985f-e3763341fef1}
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: 2FXSF6MXcV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: 2FXSF6MXcV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeCode function: 0_2_017055E4 push ds; ret 0_2_017055E7
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeCode function: 0_2_017055B2 push eax; ret 0_2_017055B5
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeCode function: 0_2_017049AF push eax; iretd 0_2_017049B5
        Source: C:\Users\user\AppData\Roaming\firefox.exeCode function: 24_2_02F655E4 push ds; ret 24_2_02F655E7
        Source: C:\Users\user\AppData\Roaming\firefox.exeCode function: 24_2_02F655B2 push eax; ret 24_2_02F655B5
        Source: C:\Users\user\AppData\Roaming\firefox.exeCode function: 24_2_02F649AF push eax; iretd 24_2_02F649B5
        Source: initial sampleStatic PE information: section name: .text entropy: 7.99260887475
        Source: initial sampleStatic PE information: section name: .text entropy: 7.99260887475
        Source: initial sampleStatic PE information: section name: .text entropy: 7.99260887475
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

        Persistence and Installation Behavior:

        barindex
        Drops executable to a common third party application directoryShow sources
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeFile written: C:\Users\user\AppData\Roaming\firefox.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeFile created: C:\Users\user\AppData\Local\Temp\firefox.exeJump to dropped file
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeFile created: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeJump to dropped file
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeFile created: C:\Users\user\AppData\Roaming\firefox.exeJump to dropped file
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeFile opened: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exe TID: 6124Thread sleep count: 34 > 30Jump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exe TID: 6124Thread sleep time: -34000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exe TID: 5444Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe TID: 5400Thread sleep time: -8301034833169293s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exe TID: 5828Thread sleep count: 33 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exe TID: 5828Thread sleep time: -33000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Roaming\firefox.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Roaming\firefox.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Roaming\firefox.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeWindow / User API: threadDelayed 1939Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeWindow / User API: threadDelayed 7394Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeWindow / User API: foregroundWindowGot 456Jump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -pJump to behavior
        Source: 2FXSF6MXcV.exe, 00000013.00000002.553803085.00000000036A8000.00000004.00000001.sdmp, firefox.exe, 00000018.00000002.550977830.0000000001A70000.00000002.00020000.sdmpBinary or memory string: Program Manager
        Source: 2FXSF6MXcV.exe, 00000013.00000002.551667588.0000000001CF0000.00000002.00020000.sdmp, firefox.exe, 00000018.00000002.550977830.0000000001A70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: 2FXSF6MXcV.exe, 00000013.00000002.551667588.0000000001CF0000.00000002.00020000.sdmp, firefox.exe, 00000018.00000002.550977830.0000000001A70000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: 2FXSF6MXcV.exe, 00000013.00000002.553803085.00000000036A8000.00000004.00000001.sdmpBinary or memory string: Program Manager8a
        Source: 2FXSF6MXcV.exe, 00000013.00000002.551667588.0000000001CF0000.00000002.00020000.sdmp, firefox.exe, 00000018.00000002.550977830.0000000001A70000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: 2FXSF6MXcV.exe, 00000013.00000002.552488445.000000000346A000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeQueries volume information: C:\Users\user\Desktop\2FXSF6MXcV.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeQueries volume information: C:\Users\user\AppData\Roaming\firefox.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeQueries volume information: C:\Users\user\AppData\Roaming\firefox.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\2FXSF6MXcV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.4105530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.43a6a40.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bb116.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.4105530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e0000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2FXSF6MXcV.exe.43cea60.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.43a6a40.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2FXSF6MXcV.exe.43cea60.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43c4575.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.554569940.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 2FXSF6MXcV.exe PID: 6132, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: 2FXSF6MXcV.exe PID: 4936, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: 2FXSF6MXcV.exe, 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: 2FXSF6MXcV.exe, 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: 2FXSF6MXcV.exe, 00000013.00000002.552320568.00000000033C1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.4105530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.43a6a40.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bb116.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.4105530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43bff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.65e0000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.2FXSF6MXcV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2FXSF6MXcV.exe.43cea60.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.2FXSF6MXcV.exe.43a6a40.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.2FXSF6MXcV.exe.43cea60.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.2FXSF6MXcV.exe.43c4575.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.554569940.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 2FXSF6MXcV.exe PID: 6132, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: 2FXSF6MXcV.exe PID: 4936, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationRegistry Run Keys / Startup Folder1Process Injection12Masquerading11Input Capture21Security Software Discovery1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 509412 Sample: 2FXSF6MXcV.exe Startdate: 26/10/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 11 other signatures 2->51 6 2FXSF6MXcV.exe 1 5 2->6         started        10 firefox.exe 2->10         started        12 firefox.exe 2->12         started        process3 file4 21 C:\Users\user\AppData\Roaming\firefox.exe, PE32 6->21 dropped 23 C:\Users\user\AppData\...\2FXSF6MXcV.exe, PE32 6->23 dropped 25 C:\Users\user\...\firefox.exe:Zone.Identifier, ASCII 6->25 dropped 31 2 other malicious files 6->31 dropped 53 Drops executable to a common third party application directory 6->53 14 2FXSF6MXcV.exe 6 6->14         started        19 svchost.exe 1 6->19         started        27 C:\Users\user\AppData\Local\...\firefox.exe, PE32 10->27 dropped 29 C:\Users\user\...\firefox.exe:Zone.Identifier, ASCII 10->29 dropped 55 Antivirus detection for dropped file 10->55 57 Multi AV Scanner detection for dropped file 10->57 59 Machine Learning detection for dropped file 10->59 signatures5 process6 dnsIp7 35 chongmei33.publicvm.com 141.101.134.20, 5569 NETZBETRIEB-GMBHDE Netherlands 14->35 33 C:\Users\user\AppData\Roaming\...\run.dat, data 14->33 dropped 37 Antivirus detection for dropped file 14->37 39 Multi AV Scanner detection for dropped file 14->39 41 Machine Learning detection for dropped file 14->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->43 file8 signatures9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        2FXSF6MXcV.exe33%ReversingLabsWin32.Keylogger.KeyBase
        2FXSF6MXcV.exe100%AviraTR/Dropper.MSIL.Gen
        2FXSF6MXcV.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\firefox.exe100%AviraTR/Dropper.MSIL.Gen
        C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe100%AviraTR/Dropper.MSIL.Gen
        C:\Users\user\AppData\Roaming\firefox.exe100%AviraTR/Dropper.MSIL.Gen
        C:\Users\user\AppData\Local\Temp\firefox.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\firefox.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe33%ReversingLabsWin32.Keylogger.KeyBase
        C:\Users\user\AppData\Local\Temp\firefox.exe33%ReversingLabsWin32.Keylogger.KeyBase
        C:\Users\user\AppData\Roaming\firefox.exe33%ReversingLabsWin32.Keylogger.KeyBase

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        0.0.2FXSF6MXcV.exe.ce0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        19.0.2FXSF6MXcV.exe.ff0000.5.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        19.0.2FXSF6MXcV.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        19.0.2FXSF6MXcV.exe.ff0000.2.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        24.0.firefox.exe.d80000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        19.2.2FXSF6MXcV.exe.65e0000.9.unpack100%AviraTR/NanoCore.fadteDownload File
        19.0.2FXSF6MXcV.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        19.0.2FXSF6MXcV.exe.ff0000.1.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        24.2.firefox.exe.d80000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        19.0.2FXSF6MXcV.exe.ff0000.3.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        19.2.2FXSF6MXcV.exe.ff0000.1.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        19.0.2FXSF6MXcV.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        19.0.2FXSF6MXcV.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        19.0.2FXSF6MXcV.exe.ff0000.9.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        19.0.2FXSF6MXcV.exe.ff0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        21.0.firefox.exe.dd0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        19.0.2FXSF6MXcV.exe.ff0000.13.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        19.0.2FXSF6MXcV.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        19.0.2FXSF6MXcV.exe.ff0000.11.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        19.2.2FXSF6MXcV.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        19.0.2FXSF6MXcV.exe.ff0000.7.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        0.2.2FXSF6MXcV.exe.ce0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        chongmei33.publicvm.com
        		141.101.134.20
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          chongmei33.publicvm.comfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2FXSF6MXcV.exe, 00000013.00000002.552320568.00000000033C1000.00000004.00000001.sdmpfalse
              		high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              141.101.134.20
              		chongmei33.publicvm.comNetherlands
              		201011NETZBETRIEB-GMBHDEfalse

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:509412
              Start date:26.10.2021
              Start time:14:34:06
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 10m 49s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:2FXSF6MXcV.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:28
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@6/8@4/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 0.4% (good quality ratio 0.3%)
              • Quality average: 52.9%
              • Quality standard deviation: 23.7%
              HCA Information:
              • Successful, ratio: 82%
              • Number of executed functions: 22
              • Number of non-executed functions: 2
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.199.120.85, 23.211.6.115, 20.199.120.151, 20.50.102.62, 173.222.108.210, 173.222.108.226, 20.54.110.249, 20.199.120.182, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.210.154
              • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtProtectVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              14:35:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run firefox "C:\Users\user\AppData\Roaming\firefox.exe"
              14:36:03API Interceptor497x Sleep call for process: 2FXSF6MXcV.exe modified
              14:36:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run firefox "C:\Users\user\AppData\Roaming\firefox.exe"

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              chongmei33.publicvm.comORDER_2110225_pdf.jarGet hashmaliciousBrowse
              • 141.101.134.18
              Order_ Inquiry_Octorber_pdf.jarGet hashmaliciousBrowse
              • 141.101.134.18
              mt103_usd78654_pdf.jarGet hashmaliciousBrowse
              • 141.101.134.47
              ORDER_211099A_pdf.jarGet hashmaliciousBrowse
              • 141.101.134.47
              spnxsdsnu.jarGet hashmaliciousBrowse
              • 141.101.134.18
              ORDER-0021889.jarGet hashmaliciousBrowse
              • 141.101.134.18
              spnxsdsnu.jarGet hashmaliciousBrowse
              • 141.101.134.18
              ORDER-0021889.jarGet hashmaliciousBrowse
              • 141.101.134.18
              SecuriteInfo.com.Heur.MSIL.Androm.1.13901.exeGet hashmaliciousBrowse
              • 141.101.134.39
              01_extracted.jarGet hashmaliciousBrowse
              • 172.94.109.53
              AVZ80SGiM1.exeGet hashmaliciousBrowse
              • 141.101.134.44
              rz89FRwKvB.exeGet hashmaliciousBrowse
              • 172.94.109.9
              6VYNUalwUt.exeGet hashmaliciousBrowse
              • 46.243.221.18
              ORDER-6010.pdf.exeGet hashmaliciousBrowse
              • 46.243.221.22
              ORDER-210067.xls.exeGet hashmaliciousBrowse
              • 46.243.221.40
              ORDER-02188.exeGet hashmaliciousBrowse
              • 46.243.217.11
              PO-21055-COPY.xls.jarGet hashmaliciousBrowse
              • 46.243.217.36
              PO-21322.xlsmGet hashmaliciousBrowse
              • 46.243.221.36
              PO-21789669S_pdf.jarGet hashmaliciousBrowse
              • 46.243.221.30
              PO-21789669S_pdf.jarGet hashmaliciousBrowse
              • 46.243.221.30

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              NETZBETRIEB-GMBHDEspnxsdsnu.jarGet hashmaliciousBrowse
              • 141.101.134.18
              ORDER-0021889.jarGet hashmaliciousBrowse
              • 141.101.134.18
              spnxsdsnu.jarGet hashmaliciousBrowse
              • 141.101.134.18
              ORDER-0021889.jarGet hashmaliciousBrowse
              • 141.101.134.18
              SecuriteInfo.com.Heur.MSIL.Androm.1.13901.exeGet hashmaliciousBrowse
              • 141.101.134.51
              uCXiXf5LvTGet hashmaliciousBrowse
              • 93.159.212.227
              dGSQxmfNFwvn.exeGet hashmaliciousBrowse
              • 141.101.134.37
              AVZ80SGiM1.exeGet hashmaliciousBrowse
              • 141.101.134.44
              JVB30EDCaRGet hashmaliciousBrowse
              • 93.159.212.251
              https://rediree3.from-wv.com/black1/Get hashmaliciousBrowse
              • 80.255.2.39
              http://195.138.255.24Get hashmaliciousBrowse
              • 195.138.255.24
              B0B.exeGet hashmaliciousBrowse
              • 81.95.5.133
              #U0413#U0430#U0437#U043f#U0440#U043e#U043c#U0431#U0430#U043d#U043a #U0437#U0430#U043a#U0430#U0437.jsGet hashmaliciousBrowse
              • 82.199.155.89
              100213865.doc.jsGet hashmaliciousBrowse
              • 92.43.107.180
              100213865.doc.jsGet hashmaliciousBrowse
              • 92.43.107.180
              24Faktura-2018_10_03_PDF.exeGet hashmaliciousBrowse
              • 80.255.6.23
              https://puhavuz.cf/cgi-ssl/file-directory/access-secured/finder/microsoftonline365.com.auth/login.php?userid=samuel.tietjen@motiva.comGet hashmaliciousBrowse
              • 195.138.255.18
              xv17XXqvDA.docGet hashmaliciousBrowse
              • 80.255.3.109

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2FXSF6MXcV.exe.log
              Process:C:\Users\user\Desktop\2FXSF6MXcV.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):612
              Entropy (8bit):5.33730556823153
              Encrypted:false
              SSDEEP:12:Q3La/KDLI4MWuPk21xzAbDLI4M0kvoDLI4MWuCOKbbDLI4MWuPJKiUrRZ9I0ZKhk:ML9E4Ks2vsXE4jE4KnKDE4KhK3VZ9pKe
              MD5:08A80BA6C9FA7AD518949631A37A08F9
              SHA1:27D59DD0D98BE6A7986BD690F9290451CAFD1536
              SHA-256:BDBB0129FD9D6760CB29D06B764A239A2E21DE7792CF0415211FBDF5551519FE
              SHA-512:CF00287F65F7D19C66F6AE2BEABAA9A442A5202F39E05B7E67BB56391212FDA0E06DB1F671A2A9CD52F3C12C230EAB7C0C6822A89CAAF5DBEDF14E9B84FA2C16
              Malicious:true
              Reputation:moderate, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
              C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe
              Process:C:\Users\user\Desktop\2FXSF6MXcV.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):544256
              Entropy (8bit):7.634719012543835
              Encrypted:false
              SSDEEP:12288:flGhdMhckf/KMU1oHh6ZL2tJ84K0AQZ+3GS4Wwt4q4W8wL:cAhceEshcqtJ84K0f+3gt4n
              MD5:E13B24CDA6737F13B2DC3F2C20D8823B
              SHA1:B58A2436A4BEFB5B7465153A72F64FD17531644C
              SHA-256:F8EE546F04FA175FA9A8B1F3DE8595BD0A4F6AEBFEED50A95C5E309D49063E1E
              SHA-512:C8FD34D209A8659638E349A86FC39F76A11EE0A7A74AFB4DB479D7C00A6442194A3E3FF9AAE41EFB6ACD065F2CF665342FD523AA19FE69CB95B0178F903B734C
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 33%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....va................................ ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc...............L..............@..B.......................H.......t4..H!...........U...R..............................................:....&(....8....*8....&8....8........8....*s....(....t.....:....&8....8....8....8.........8......~....*.&~.......*...~....*..0..........8y.......E....'...R...8"...* .....9{...&8.......Y.:z...&8....8.... ....~m...9....& ....8......(....85.....:....8....8....8.......:....8....&8....8......8....8....(....8....8|..... ....~n...:G...&8=....0.............9....&8........E....B.......8=......(....9:... ....~`
              C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\2FXSF6MXcV.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\AppData\Local\Temp\firefox.exe
              Process:C:\Users\user\AppData\Roaming\firefox.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):544256
              Entropy (8bit):7.634719012543835
              Encrypted:false
              SSDEEP:12288:flGhdMhckf/KMU1oHh6ZL2tJ84K0AQZ+3GS4Wwt4q4W8wL:cAhceEshcqtJ84K0f+3gt4n
              MD5:E13B24CDA6737F13B2DC3F2C20D8823B
              SHA1:B58A2436A4BEFB5B7465153A72F64FD17531644C
              SHA-256:F8EE546F04FA175FA9A8B1F3DE8595BD0A4F6AEBFEED50A95C5E309D49063E1E
              SHA-512:C8FD34D209A8659638E349A86FC39F76A11EE0A7A74AFB4DB479D7C00A6442194A3E3FF9AAE41EFB6ACD065F2CF665342FD523AA19FE69CB95B0178F903B734C
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 33%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....va................................ ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc...............L..............@..B.......................H.......t4..H!...........U...R..............................................:....&(....8....*8....&8....8........8....*s....(....t.....:....&8....8....8....8.........8......~....*.&~.......*...~....*..0..........8y.......E....'...R...8"...* .....9{...&8.......Y.:z...&8....8.... ....~m...9....& ....8......(....85.....:....8....8....8.......:....8....&8....8......8....8....(....8....8|..... ....~n...:G...&8=....0.............9....&8........E....B.......8=......(....9:... ....~`
              C:\Users\user\AppData\Local\Temp\firefox.exe:Zone.Identifier
              Process:C:\Users\user\AppData\Roaming\firefox.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe
              File Type:data
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:1atn:Itn
              MD5:C0B4C5D70A426481C367FCD275C1E527
              SHA1:17E1FBDE70F34257DACDFAD013E5F763A57E443D
              SHA-256:0E9F810198356BE0880ADCAE0914A8714C09C71AA59F34F426D1AD9FF9B16B3F
              SHA-512:F9064E31C160D62F2648F1EE1F169B0BFCA159E117A4F0A36AEC841CF9D2909C4A1AE188C499573E3DD539C7DC49197DF1F74B35E6C2D30EA504C483C8BD35FE
              Malicious:true
              Reputation:low
              Preview: ......H
              C:\Users\user\AppData\Roaming\firefox.exe
              Process:C:\Users\user\Desktop\2FXSF6MXcV.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):544256
              Entropy (8bit):7.634719012543835
              Encrypted:false
              SSDEEP:12288:flGhdMhckf/KMU1oHh6ZL2tJ84K0AQZ+3GS4Wwt4q4W8wL:cAhceEshcqtJ84K0f+3gt4n
              MD5:E13B24CDA6737F13B2DC3F2C20D8823B
              SHA1:B58A2436A4BEFB5B7465153A72F64FD17531644C
              SHA-256:F8EE546F04FA175FA9A8B1F3DE8595BD0A4F6AEBFEED50A95C5E309D49063E1E
              SHA-512:C8FD34D209A8659638E349A86FC39F76A11EE0A7A74AFB4DB479D7C00A6442194A3E3FF9AAE41EFB6ACD065F2CF665342FD523AA19FE69CB95B0178F903B734C
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 33%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....va................................ ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc...............L..............@..B.......................H.......t4..H!...........U...R..............................................:....&(....8....*8....&8....8........8....*s....(....t.....:....&8....8....8....8.........8......~....*.&~.......*...~....*..0..........8y.......E....'...R...8"...* .....9{...&8.......Y.:z...&8....8.... ....~m...9....& ....8......(....85.....:....8....8....8.......:....8....&8....8......8....8....(....8....8|..... ....~n...:G...&8=....0.............9....&8........E....B.......8=......(....9:... ....~`
              C:\Users\user\AppData\Roaming\firefox.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\2FXSF6MXcV.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Preview: [ZoneTransfer]....ZoneId=0

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.634719012543835
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              • Win32 Executable (generic) a (10002005/4) 49.78%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              File name:2FXSF6MXcV.exe
              File size:544256
              MD5:e13b24cda6737f13b2dc3f2c20d8823b
              SHA1:b58a2436a4befb5b7465153a72f64fd17531644c
              SHA256:f8ee546f04fa175fa9a8b1f3de8595bd0a4f6aebfeed50a95c5e309d49063e1e
              SHA512:c8fd34d209a8659638e349a86fc39f76a11ee0a7a74afb4db479d7c00a6442194a3e3ff9aae41efb6acd065f2cf665342fd523aa19fe69cb95b0178f903b734c
              SSDEEP:12288:flGhdMhckf/KMU1oHh6ZL2tJ84K0AQZ+3GS4Wwt4q4W8wL:cAhceEshcqtJ84K0f+3gt4n
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....va................................. ........@.. ....................................@................................

              File Icon

              Icon Hash:70f0d8d4d4d8f069

              Static PE Info

              General

              Entrypoint:0x46a8ee
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x6176EE13 [Mon Oct 25 17:49:07 2021 UTC]
              TLS Callbacks:
              CLR (.Net) Version:v4.0.30319
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x6a8a00x4b.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x1bfa4.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x688f40x68a00False0.988344254032data7.99260887475IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rsrc0x6c0000x1bfa40x1c000False0.217694963728data4.88488417465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x6c2200x3242PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
              RT_ICON0x6f4640x10828dBase III DBT, version number 0, next free block index 40
              RT_ICON0x7fc8c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
              RT_ICON0x83eb40x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
              RT_ICON0x8645c0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
              RT_ICON0x875040x468GLS_BINARY_LSB_FIRST
              RT_GROUP_ICON0x8796c0x5adata
              RT_VERSION0x879c80x428data
              RT_MANIFEST0x87df00x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Version Infos

              DescriptionData
              Translation0x0000 0x04b0
              LegalCopyrightFirefox and Mozilla Developers; available under the MPL 2 license.
              Assembly Version93.0.0.7940
              InternalNameConsoleApp1.exe
              FileVersion93.0.0.7940
              CompanyNameMozilla Corporation
              LegalTrademarksFirefox is a Trademark of The Mozilla Foundation.
              CommentsFirefox
              ProductNameFirefox
              ProductVersion93.0.0.7940
              FileDescriptionFirefox
              OriginalFilenameConsoleApp1.exe

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Oct 26, 2021 14:36:07.440824032 CEST498335569192.168.2.3141.101.134.20
              Oct 26, 2021 14:36:10.446516037 CEST498335569192.168.2.3141.101.134.20
              Oct 26, 2021 14:36:16.462841988 CEST498335569192.168.2.3141.101.134.20
              Oct 26, 2021 14:36:26.739911079 CEST498365569192.168.2.3141.101.134.20
              Oct 26, 2021 14:36:29.745060921 CEST498365569192.168.2.3141.101.134.20
              Oct 26, 2021 14:36:35.745665073 CEST498365569192.168.2.3141.101.134.20
              Oct 26, 2021 14:36:43.376847029 CEST498635569192.168.2.3141.101.134.20
              Oct 26, 2021 14:36:46.387025118 CEST498635569192.168.2.3141.101.134.20
              Oct 26, 2021 14:36:52.389132977 CEST498635569192.168.2.3141.101.134.20
              Oct 26, 2021 14:37:00.488742113 CEST498655569192.168.2.3141.101.134.20
              Oct 26, 2021 14:37:03.497868061 CEST498655569192.168.2.3141.101.134.20
              Oct 26, 2021 14:37:09.504198074 CEST498655569192.168.2.3141.101.134.20

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Oct 26, 2021 14:36:07.299653053 CEST6345653192.168.2.38.8.8.8
              Oct 26, 2021 14:36:07.420595884 CEST53634568.8.8.8192.168.2.3
              Oct 26, 2021 14:36:26.549268007 CEST5894253192.168.2.38.8.8.8
              Oct 26, 2021 14:36:26.716905117 CEST53589428.8.8.8192.168.2.3
              Oct 26, 2021 14:36:43.356201887 CEST6349053192.168.2.38.8.8.8
              Oct 26, 2021 14:36:43.375072002 CEST53634908.8.8.8192.168.2.3
              Oct 26, 2021 14:37:00.459346056 CEST6112053192.168.2.38.8.8.8
              Oct 26, 2021 14:37:00.477619886 CEST53611208.8.8.8192.168.2.3

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Oct 26, 2021 14:36:07.299653053 CEST192.168.2.38.8.8.80x3c6dStandard query (0)chongmei33.publicvm.comA (IP address)IN (0x0001)
              Oct 26, 2021 14:36:26.549268007 CEST192.168.2.38.8.8.80x5d6Standard query (0)chongmei33.publicvm.comA (IP address)IN (0x0001)
              Oct 26, 2021 14:36:43.356201887 CEST192.168.2.38.8.8.80x3811Standard query (0)chongmei33.publicvm.comA (IP address)IN (0x0001)
              Oct 26, 2021 14:37:00.459346056 CEST192.168.2.38.8.8.80x43d2Standard query (0)chongmei33.publicvm.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Oct 26, 2021 14:36:07.420595884 CEST8.8.8.8192.168.2.30x3c6dNo error (0)chongmei33.publicvm.com141.101.134.20A (IP address)IN (0x0001)
              Oct 26, 2021 14:36:26.716905117 CEST8.8.8.8192.168.2.30x5d6No error (0)chongmei33.publicvm.com141.101.134.20A (IP address)IN (0x0001)
              Oct 26, 2021 14:36:43.375072002 CEST8.8.8.8192.168.2.30x3811No error (0)chongmei33.publicvm.com141.101.134.20A (IP address)IN (0x0001)
              Oct 26, 2021 14:37:00.477619886 CEST8.8.8.8192.168.2.30x43d2No error (0)chongmei33.publicvm.com141.101.134.20A (IP address)IN (0x0001)

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: 2FXSF6MXcV.exe PID: 6132 Parent PID: 5332

              General

              Start time:14:34:58
              Start date:26/10/2021
              Path:C:\Users\user\Desktop\2FXSF6MXcV.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\2FXSF6MXcV.exe'
              Imagebase:0xce0000
              File size:544256 bytes
              MD5 hash:E13B24CDA6737F13B2DC3F2C20D8823B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.404881543.00000000043C7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.422619914.000000000437F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.416883288.00000000031A3000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.416883288.00000000031A3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.417608309.0000000004101000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: svchost.exe PID: 4936 Parent PID: 572

              General

              Start time:14:35:25
              Start date:26/10/2021
              Path:C:\Windows\System32\svchost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
              Imagebase:0x7ff70d6e0000
              File size:51288 bytes
              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: 2FXSF6MXcV.exe PID: 4936 Parent PID: 6132

              General

              Start time:14:35:57
              Start date:26/10/2021
              Path:C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Local\Temp\2FXSF6MXcV.exe
              Imagebase:0xff0000
              File size:544256 bytes
              MD5 hash:E13B24CDA6737F13B2DC3F2C20D8823B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.410602716.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.411789598.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.556312949.00000000065E0000.00000004.00020000.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.411248412.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.412380595.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.554569940.00000000043B9000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.554569940.00000000043B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.549310054.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.556187820.0000000006530000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.556187820.0000000006530000.00000004.00020000.sdmp, Author: Florian Roth
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 100%, Joe Sandbox ML
              • Detection: 33%, ReversingLabs
              Reputation:low

              Chronological Activities

              Analysis Process: firefox.exe PID: 5536 Parent PID: 3352

              General

              Start time:14:36:05
              Start date:26/10/2021
              Path:C:\Users\user\AppData\Roaming\firefox.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\AppData\Roaming\firefox.exe'
              Imagebase:0xdd0000
              File size:544256 bytes
              MD5 hash:E13B24CDA6737F13B2DC3F2C20D8823B
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 100%, Joe Sandbox ML
              • Detection: 33%, ReversingLabs
              Reputation:low

              Chronological Activities

              Analysis Process: firefox.exe PID: 6312 Parent PID: 3352

              General

              Start time:14:36:13
              Start date:26/10/2021
              Path:C:\Users\user\AppData\Roaming\firefox.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\AppData\Roaming\firefox.exe'
              Imagebase:0xd80000
              File size:544256 bytes
              MD5 hash:E13B24CDA6737F13B2DC3F2C20D8823B
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET
              Reputation:low

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: 2FXSF6MXcV.exe PID: 6132 Parent PID: 5332 2FXSF6MXcV.exeCOMMON

                Executed Functions

                Function 01709730, Relevance: .7, Instructions: 655COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.414727036.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b063ea7ac6e9ebbed47022399f3aa5a72e24c117def9fd7541dba982b9157f3
                • Instruction ID: feefb956c750c39adc39385f9e7b6aa49e190be125a1d634b365ccc9201a2cb5
                • Opcode Fuzzy Hash: 4b063ea7ac6e9ebbed47022399f3aa5a72e24c117def9fd7541dba982b9157f3
                • Instruction Fuzzy Hash: 9B420775A00614DFDB16DFA8C984E59BBF2FF49318F1581A8E6099B272CB31ED91CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01709440, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 017094B4
                Memory Dump Source
                • Source File: 00000000.00000002.414727036.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 41a3edb6d8435c18fd8c6b1b7a4c33568b6f1754b9eee1c23d16311ade5fbd9b
                • Instruction ID: fbae4660f20d691ff089c0b1dc8f511059c2a9d4879a69417e52e72ec5446565
                • Opcode Fuzzy Hash: 41a3edb6d8435c18fd8c6b1b7a4c33568b6f1754b9eee1c23d16311ade5fbd9b
                • Instruction Fuzzy Hash: B41124B19003089FDB10CFAAC884ADFFBF8EF48224F14882AE519A7250C7749945CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01709618, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE ref: 0170967A
                Memory Dump Source
                • Source File: 00000000.00000002.414727036.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: b4fd391698516cd6483f87b591966424847db36793da3dc8a3c3a18a36223204
                • Instruction ID: 955733d1aa6b4af19c3d7e26cc1e3836e9004d65eeb854922a77f57f080043d2
                • Opcode Fuzzy Hash: b4fd391698516cd6483f87b591966424847db36793da3dc8a3c3a18a36223204
                • Instruction Fuzzy Hash: 531128B19003089BDB14DFA9C8447DEFBF9EF88228F148829D55AA7250C774A945CF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0143D01C, Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.414371821.000000000143D000.00000040.00000001.sdmp, Offset: 0143D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b89c0858bb732ce24838bb97d455897f20505b77407fadf1ae6e8bf08c7bdf26
                • Instruction ID: 74223b991ce0cfa1d36531f24465e58eb6d8d263eaa1e48baaef0a8f7aa8f4b0
                • Opcode Fuzzy Hash: b89c0858bb732ce24838bb97d455897f20505b77407fadf1ae6e8bf08c7bdf26
                • Instruction Fuzzy Hash: 032126B19042049FDB11DF98D5C4B6BFBB9FBC8A68F60C66AD8055B351C336D807C661
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0143D006, Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.414371821.000000000143D000.00000040.00000001.sdmp, Offset: 0143D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61666a069953093ee7c6ac75dd45d7c0bf71793a485af803c8b36b0605ea55d5
                • Instruction ID: ca43c48cb9d90646de4231097f1fc5a87fd788dcee839310217db7cf8a7c4134
                • Opcode Fuzzy Hash: 61666a069953093ee7c6ac75dd45d7c0bf71793a485af803c8b36b0605ea55d5
                • Instruction Fuzzy Hash: 28218E715093808FD713CF24D590716FF71EB86624F2982ABC8858B663C33A980ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 01701602, Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.414727036.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7b60a9e943b8cd1a80adc1ff26590adfdbeb8aac84534f5d10d69ff12b73e55a
                • Instruction ID: 1864d94553dad49aee1ea2d3da86b21ab31d252cdb8265ec12448fdf7e455592
                • Opcode Fuzzy Hash: 7b60a9e943b8cd1a80adc1ff26590adfdbeb8aac84534f5d10d69ff12b73e55a
                • Instruction Fuzzy Hash: E4717FB1A002499FDB09DFAAE94059ABBF3FFC9204B04C439D4149B278DB785A858B51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01701630, Relevance: .2, Instructions: 163COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.414727036.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 691c726a492a8226f0f2d71f31510faab56a7af3df3ef0328ee904117ab08191
                • Instruction ID: 3018a1029d0c81ef4c7ead94f051bbde92f1f7f52f797550ad8d07ad47c0b041
                • Opcode Fuzzy Hash: 691c726a492a8226f0f2d71f31510faab56a7af3df3ef0328ee904117ab08191
                • Instruction Fuzzy Hash: DB613BB1A002099FDB58DFABE54069ABBF3FBC8208F14C839D4159B278EF7459858B51
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: 2FXSF6MXcV.exe PID: 4936 Parent PID: 6132 2FXSF6MXcV.exeCOMMON

                Executed Functions

                Function 06992FA0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.556567146.0000000006990000.00000040.00000001.sdmp, Offset: 06990000, based on PE: false
                Similarity
                • API ID:
                • String ID: EDz;$EDz;
                • API String ID: 0-1925028469
                • Opcode ID: c74d1e34fe7c1297d43aa4019418942d13bcd26c04c5dd8fea965f7d3891250e
                • Instruction ID: 5aed2bf2e98ceb7246664b08dbdfc2cb6af80f28f02846d7e39d3874cca320a4
                • Opcode Fuzzy Hash: c74d1e34fe7c1297d43aa4019418942d13bcd26c04c5dd8fea965f7d3891250e
                • Instruction Fuzzy Hash: DF8189B1D002099FDF14CFA9C9806EEFBB5FF49314F20852AD815AB610DB71A946CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031AFB98, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031AFD0A
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID: EDz;$EDz;
                • API String ID: 716092398-1925028469
                • Opcode ID: 47e1049ef1568548feec14cdbee5e0cffd0332a1deea0ae5ad9e2634e24dd09a
                • Instruction ID: e41471469a38fd01ecdc2710d4854325cbd86f717f8125716441bfba2802edae
                • Opcode Fuzzy Hash: 47e1049ef1568548feec14cdbee5e0cffd0332a1deea0ae5ad9e2634e24dd09a
                • Instruction Fuzzy Hash: C55102B5C04249AFDF06CFA9D980ADEBFB5FF48314F18816AE808AB221D7719955CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0699304C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141networkCOMMON
                Download Yara Rule
                APIs
                • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06993180
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.556567146.0000000006990000.00000040.00000001.sdmp, Offset: 06990000, based on PE: false
                Similarity
                • API ID: Query_
                • String ID: EDz;$EDz;
                • API String ID: 428220571-1925028469
                • Opcode ID: a4b26e1bbde70168dc28e9e575591480d6bdf6ca7f4b126a9d2a8f136f2823df
                • Instruction ID: 274c4f1109b57bb4e745c38fb579ad568e263dc64515c1458a1928c42ca30cba
                • Opcode Fuzzy Hash: a4b26e1bbde70168dc28e9e575591480d6bdf6ca7f4b126a9d2a8f136f2823df
                • Instruction Fuzzy Hash: BD5167B1D002589FCF24CFA9C9806DEFBB5FF49304F24852AE815AB250DB71A946CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031ADA04, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031AFD0A
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID: EDz;$EDz;
                • API String ID: 716092398-1925028469
                • Opcode ID: 34349901dc68366f07cdf7183345109faa05a94ad91d36d399942c76955e21c5
                • Instruction ID: b1b763e3b9951b9d5e9fb9af17aa46b8be9e86690a226a713b6efd3a67b8e439
                • Opcode Fuzzy Hash: 34349901dc68366f07cdf7183345109faa05a94ad91d36d399942c76955e21c5
                • Instruction Fuzzy Hash: 7B51CFB5D00308AFDB14CF9AD984ADEBBB5BF48310F24822AE819AB210D7759845CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031A93E8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 031A962E
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID: EDz;
                • API String ID: 4139908857-2663787095
                • Opcode ID: 7f719073e82c2585955846dfc4e27db6fd3c76a0b858f149d9147f3121db625a
                • Instruction ID: b9aa041957d689d18f341ed78b38221608b213fa2d2fd57a7726983ac0af08a1
                • Opcode Fuzzy Hash: 7f719073e82c2585955846dfc4e27db6fd3c76a0b858f149d9147f3121db625a
                • Instruction Fuzzy Hash: 4D7169B4A00B098FDB24DF69C14179ABBF5FF88205F048A2DD48ACBA50DB34E845CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031AA14C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031ABCC6,?,?,?,?,?), ref: 031ABD87
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID: EDz;
                • API String ID: 3793708945-2663787095
                • Opcode ID: 48e8c44937ea9cce12d9967bd2dec4f1d088623cdaeeb125e3ff32a2c7603cc6
                • Instruction ID: 1654b9c5572e4796bef61e454fac1ef93bbf75018b9cc9b5d1892cb825f54ea6
                • Opcode Fuzzy Hash: 48e8c44937ea9cce12d9967bd2dec4f1d088623cdaeeb125e3ff32a2c7603cc6
                • Instruction Fuzzy Hash: 0A21E6B5900248AFDF10CF99D984ADEFBF9EB48324F14841AE915A7310D374A954CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031ABCF9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031ABCC6,?,?,?,?,?), ref: 031ABD87
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID: EDz;
                • API String ID: 3793708945-2663787095
                • Opcode ID: 45cb252035e4038882264764e20c97e1df046183f5fa97d166b0a70a329cba05
                • Instruction ID: 2a06044ae5bda59a3da5f7609382bd39d4b3ae935eced4004ff5f215713ae499
                • Opcode Fuzzy Hash: 45cb252035e4038882264764e20c97e1df046183f5fa97d166b0a70a329cba05
                • Instruction Fuzzy Hash: 8521E5B59002489FDB10CF99D984AEEFBF4EF48314F14841AE959B7310C3789954CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031A8768, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031A96A9,00000800,00000000,00000000), ref: 031A98BA
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID: EDz;
                • API String ID: 1029625771-2663787095
                • Opcode ID: 3d0973eb9609f6b4d3613aef1b3a1fa63bb0e810da5a34f81c9e4c2133eb70ae
                • Instruction ID: 5bfdfc17ec1374b72550fd63e215450eb578bf010d85852faa11475b55e43d1f
                • Opcode Fuzzy Hash: 3d0973eb9609f6b4d3613aef1b3a1fa63bb0e810da5a34f81c9e4c2133eb70ae
                • Instruction Fuzzy Hash: 861103B69006099FDB10CF9AD544ADEFBF8EB48320F14842AE519A7610C375A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031A9849, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031A96A9,00000800,00000000,00000000), ref: 031A98BA
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID: EDz;
                • API String ID: 1029625771-2663787095
                • Opcode ID: 6cb13fef02c5bc6668633fb4f4bad3e26c02db948d621c4a0956b74c2cde4ad6
                • Instruction ID: 80a36aff6249eec697978dae88a432ff73519b751e49af53f4b6145e3fbe6646
                • Opcode Fuzzy Hash: 6cb13fef02c5bc6668633fb4f4bad3e26c02db948d621c4a0956b74c2cde4ad6
                • Instruction Fuzzy Hash: 531112B6C002099FDB10CF9AD548ADEFBF8EB88320F14842AE819A7200C775A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031A95C8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 031A962E
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID: EDz;
                • API String ID: 4139908857-2663787095
                • Opcode ID: b6b465f0f9d0b38e6be1b51e42715fe39b9308e6863c954676e03c92feb4f2e2
                • Instruction ID: fad5c1ecd0fa37d23cfc380daeb8093fd2c30373f913968ba2fb17b661a5f042
                • Opcode Fuzzy Hash: b6b465f0f9d0b38e6be1b51e42715fe39b9308e6863c954676e03c92feb4f2e2
                • Instruction Fuzzy Hash: 5C11DFB5C006498FDB10CF9AD544ADEFBF8AF88224F14852AD419A7610C375A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031ADA3C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,031AFE28,?,?,?,?), ref: 031AFE9D
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID: EDz;
                • API String ID: 1378638983-2663787095
                • Opcode ID: 955f22d1480fea9a6adbcac5808daeba4ea3c61dd9cd27e148c23eccf7fb4546
                • Instruction ID: ffe41ba398fcc7645c6a5d9a1a942269022db41f65df65fe925598e13a4993e2
                • Opcode Fuzzy Hash: 955f22d1480fea9a6adbcac5808daeba4ea3c61dd9cd27e148c23eccf7fb4546
                • Instruction Fuzzy Hash: 721133B58006089FDB10CF8AD988BDEFBF8EB48320F10841AE915A7301C374A944CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031AFE38, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,031AFE28,?,?,?,?), ref: 031AFE9D
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID: EDz;
                • API String ID: 1378638983-2663787095
                • Opcode ID: b334f9b1d05e24dbe5759a0d6cf7bf2b27f16a04cc0a851cbeabee9f7346845d
                • Instruction ID: faa920e63550257286edf4998e7afd050ee7498c06e332f428d3d2163b3b8f3f
                • Opcode Fuzzy Hash: b334f9b1d05e24dbe5759a0d6cf7bf2b27f16a04cc0a851cbeabee9f7346845d
                • Instruction Fuzzy Hash: B71133B58002489FDB10CF99D989BDEFBF8EB48324F14841AE954A7301C374A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031ABDC1, Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031ABCC6,?,?,?,?,?), ref: 031ABD87
                Memory Dump Source
                • Source File: 00000013.00000002.552157431.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 2e962a421dcb44063add648f1dc2a1ac09a06aa0803fdd5a57d57a6b49230dc0
                • Instruction ID: da158e55bd50c499cd1aa96aad9ec174ac2f53327738dd3f3b2af9f2c711821b
                • Opcode Fuzzy Hash: 2e962a421dcb44063add648f1dc2a1ac09a06aa0803fdd5a57d57a6b49230dc0
                • Instruction Fuzzy Hash: F641AF74500680DFF705DFA4E989BBE3FB5EB89305F104269E9859B786CB385841CF21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011FD4A0, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.550290153.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9fe8442a621ecbc9a4db89de3daf05947662c3d84e23ef5d9adac1b6b4dcecdb
                • Instruction ID: 8b0ba295eb3276296c37a3d0c9dc6268c0ddc8e6e8f89efe53876150e3ab7e4c
                • Opcode Fuzzy Hash: 9fe8442a621ecbc9a4db89de3daf05947662c3d84e23ef5d9adac1b6b4dcecdb
                • Instruction Fuzzy Hash: 282136B1504204DFDF09CF84E9C4B66BF65FB84328F24856CEA054B226C336D846CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011FD49B, Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.550290153.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d61dc1787d2e40bcc3bc80781d9ce7e3675fb42988ff872e81e6b89b770b6d0c
                • Instruction ID: ed6d6cc28aac3de1c70c7c1634d5a7a37754309fe32e211e2b01040b8da60d15
                • Opcode Fuzzy Hash: d61dc1787d2e40bcc3bc80781d9ce7e3675fb42988ff872e81e6b89b770b6d0c
                • Instruction Fuzzy Hash: 9811AFB6504280CFDF16CF54E9C4B26BF71FB84324F2486ADD9054B666C33AD45ACBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: firefox.exe PID: 6312 Parent PID: 3352 firefox.exeCOMMON

                Executed Functions

                Function 02F69440, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02F694B4
                Memory Dump Source
                • Source File: 00000018.00000002.551422060.0000000002F60000.00000040.00000001.sdmp, Offset: 02F60000, based on PE: false
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 0c4b05070460f3ed5fbf6f8641024f5b115fb6c77a5fdb7b958aabd0e5c541d1
                • Instruction ID: c7443961eeb4af40627a2fe8c5cc3e5373d7c8ec079e708882a6d3609d79554f
                • Opcode Fuzzy Hash: 0c4b05070460f3ed5fbf6f8641024f5b115fb6c77a5fdb7b958aabd0e5c541d1
                • Instruction Fuzzy Hash: C01138B1D002089FCB10CFAAC944AEFFBF8FF48224F14882AD559A7210C7749944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02F69618, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE ref: 02F6967A
                Memory Dump Source
                • Source File: 00000018.00000002.551422060.0000000002F60000.00000040.00000001.sdmp, Offset: 02F60000, based on PE: false
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 6b7c1ec1af8040db93688e8cd3168a49fc79b941f1a257709bf18d4e6a462256
                • Instruction ID: 2be476122565b707fc53d337c61674abd0c6f9673cba0f174fd12a6144a27a7a
                • Opcode Fuzzy Hash: 6b7c1ec1af8040db93688e8cd3168a49fc79b941f1a257709bf18d4e6a462256
                • Instruction Fuzzy Hash: C9116AB1D003488BCB10CFA9C4487EFFBF8EF88224F148829C55AA7250CB75A944CF95
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions