Windows Analysis Report Purchase Order - MULBERRY PTY LTD PO# 8083 .exe

Overview

General Information

Sample Name: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Analysis ID: 526064
MD5: 73f150f9addd1b8c71edb0af02689742
SHA1: 87c19c7df6ccdb108feb578d1422797780ad4716
SHA256: 04fbd90fa1d4c3fb72e4a96104eb36873b83b098b8ac193e615b341db5752645
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for dropped file
Yara detected Nanocore RAT
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates processes with suspicious names
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9cae05bf-9274-4cf6-bafd-b5dbdfaf", "Group": "Default", "Domain1": "79.134.225.112", "Domain2": "", "Port": 6432, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsk7EB3.tmp\ymbom.dll Avira: detection malicious, Label: HEUR/AGEN.1120891
Source: C:\Users\user\AppData\Local\Temp\nsj88F4.tmp\ymbom.dll Avira: detection malicious, Label: HEUR/AGEN.1120891
Source: C:\Users\user\AppData\Local\Temp\nsm511B.tmp\ymbom.dll Avira: detection malicious, Label: HEUR/AGEN.1120891
Yara detected Nanocore RAT
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2441458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.373dd79.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3738343.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.2200000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.2200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e5730.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3738343.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5114629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2441458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e5730.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4850000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.36b3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a8343.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3733506.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.36b3258.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.373dd79.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912664757.0000000002322000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.710919789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.717482187.0000000002200000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.911073120.00000000005B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711053086.0000000000506000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.693119154.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.716217507.00000000004D5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.702734026.0000000002430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.716130336.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.661434639.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711912527.000000000385C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912385111.00000000022D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711854712.0000000003821000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.659439082.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.718225009.0000000004852000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.717924088.00000000036B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912764065.00000000026B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.701171418.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711556694.0000000002400000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.658682840.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.695033626.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.697903299.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.910935866.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.697418143.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.700051302.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.914365735.0000000005110000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711653141.0000000002472000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 4828, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 6572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6684, type: MEMORYSTR
Antivirus or Machine Learning detection for unpacked file
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.1.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.dhcpmon.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.dhcpmon.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.dhcpmon.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.dhcpmon.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.dhcpmon.exe.400000.9.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.dhcpmon.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.dhcpmon.exe.400000.5.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.dhcpmon.exe.400000.11.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.unpack Avira: Label: TR/NanoCore.fadte
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.2.dhcpmon.exe.4850000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.dhcpmon.exe.400000.7.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.dhcpmon.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Unpacked PE file: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Unpacked PE file: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Unpacked PE file: 15.2.dhcpmon.exe.4850000.10.unpack
Uses 32bit PE files
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\xampp\htdocs\Loct\78db1e9ae9bb491b9cd0254e41b5746a\Loader\plcnhijn\Release\plcnhijn.pdb`+@? source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000000.00000002.660015658.0000000000409000.00000004.00020000.sdmp, Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000B.00000002.697505701.000000001000B000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.703412825.000000001000B000.00000002.00020000.sdmp, ymbom.dll.11.dr
Source: Binary string: scorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912643678.0000000002315000.00000004.00000040.sdmp
Source: Binary string: C:\xampp\htdocs\Loct\78db1e9ae9bb491b9cd0254e41b5746a\Loader\plcnhijn\Release\plcnhijn.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000000.00000002.660015658.0000000000409000.00000004.00020000.sdmp, Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000B.00000002.697505701.000000001000B000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.703412825.000000001000B000.00000002.00020000.sdmp, ymbom.dll.11.dr
Source: Binary string: wntdll.pdbUGP source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000000.00000003.650720959.0000000002B20000.00000004.00000001.sdmp, Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000B.00000003.692061997.0000000002B20000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.688134610.0000000002B70000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp, Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000D.00000002.711791152.000000000282E000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000000.00000003.650720959.0000000002B20000.00000004.00000001.sdmp, Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000B.00000003.692061997.0000000002B20000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.688134610.0000000002B70000.00000004.00000001.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912643678.0000000002315000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912643678.0000000002315000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbd source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912643678.0000000002315000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912643678.0000000002315000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405250
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00405C22 FindFirstFileA,FindClose, 0_2_00405C22
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00404A29 FindFirstFileExW, 3_2_00404A29
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 11_2_00405250
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_00405C22 FindFirstFileA,FindClose, 11_2_00405C22
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_00402630 FindFirstFileA, 11_2_00402630
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_00404A29 FindFirstFileExW, 13_2_00404A29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00404A29 FindFirstFileExW, 15_2_00404A29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_1_00404A29 FindFirstFileExW, 15_1_00404A29

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 4x nop then mov esp, ebp 3_2_0488865F

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: 79.134.225.112
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.112 79.134.225.112
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49748 -> 79.134.225.112:6432
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.112
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404E07

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2441458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.373dd79.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3738343.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.2200000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.2200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e5730.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3738343.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5114629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2441458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e5730.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4850000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.36b3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a8343.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3733506.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.36b3258.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.373dd79.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912664757.0000000002322000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.710919789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.717482187.0000000002200000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.911073120.00000000005B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711053086.0000000000506000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.693119154.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.716217507.00000000004D5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.702734026.0000000002430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.716130336.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.661434639.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711912527.000000000385C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912385111.00000000022D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711854712.0000000003821000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.659439082.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.718225009.0000000004852000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.717924088.00000000036B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912764065.00000000026B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.701171418.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711556694.0000000002400000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.658682840.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.695033626.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.697903299.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.910935866.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.697418143.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.700051302.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.914365735.0000000005110000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711653141.0000000002472000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 4828, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 6572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6684, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5100000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.2441458.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2441458.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.373dd79.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3738343.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3738343.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.26c1990.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.2200000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.2200000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.415058.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.415058.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.26c1990.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.2200000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.2200000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.4e5730.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.4e5730.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.26d687c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3738343.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3738343.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.3733506.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2430000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2430000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.26d687c.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5114629.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.4e70000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2846894.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2441458.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2441458.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2846894.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.26db908.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.4e5730.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.4e5730.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.284b920.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.415058.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.415058.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.2430000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2430000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.4850000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.4850000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.36b3258.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.36b3258.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.1.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.1.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a8343.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a8343.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.3733506.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3733506.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.36b3258.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.36b3258.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.26c680c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.373dd79.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.711791152.000000000282E000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.912664757.0000000002322000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.912664757.0000000002322000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.710919789.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.710919789.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.717482187.0000000002200000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.717482187.0000000002200000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.911073120.00000000005B6000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.911073120.00000000005B6000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.711053086.0000000000506000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.711053086.0000000000506000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000000.693119154.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000000.693119154.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.716217507.00000000004D5000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.716217507.00000000004D5000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.702734026.0000000002430000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.702734026.0000000002430000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.716130336.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.716130336.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.661434639.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.661434639.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.711912527.000000000385C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.912385111.00000000022D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.912385111.00000000022D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.711854712.0000000003821000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.711854712.0000000003821000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.659439082.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.659439082.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.718225009.0000000004852000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.718225009.0000000004852000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.717924088.00000000036B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.717924088.00000000036B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000001.701171418.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000001.701171418.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.711556694.0000000002400000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.711556694.0000000002400000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.658682840.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.658682840.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000000.695033626.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000000.695033626.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.914348612.0000000005100000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000000.697903299.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000000.697903299.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.717789111.00000000026BE000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.914250318.0000000004E70000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.910935866.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.910935866.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.697418143.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.697418143.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000000.700051302.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000000.700051302.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.914365735.0000000005110000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.711653141.0000000002472000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.711653141.0000000002472000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 4828, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 4828, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 6572, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5936, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5936, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5768, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5788, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5788, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6684, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Executable has a suspicious name (potential lure to open the executable)
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Static file information: Suspicious name
Uses 32bit PE files
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5100000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5100000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.2441458.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2441458.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.dhcpmon.exe.2441458.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.373dd79.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.373dd79.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.3738343.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3738343.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.3738343.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.26c1990.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.26c1990.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.2200000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.2200000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.2200000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.415058.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.415058.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.415058.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.26c1990.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.26c1990.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.2200000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.2200000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.2200000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.4e5730.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.4e5730.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.4e5730.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.26d687c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.26d687c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3738343.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3738343.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3738343.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.3733506.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3733506.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.dhcpmon.exe.2430000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2430000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.dhcpmon.exe.2430000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.26d687c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.26d687c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5114629.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5114629.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.4e70000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.4e70000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2846894.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2846894.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.dhcpmon.exe.2441458.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2441458.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.dhcpmon.exe.2441458.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2846894.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2846894.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.26db908.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.26db908.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.4e5730.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.4e5730.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.4e5730.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.284b920.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.284b920.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.415058.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.415058.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.415058.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.2430000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2430000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.dhcpmon.exe.2430000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.4850000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.4850000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.4850000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.36b3258.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.36b3258.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.36b3258.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.1.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.1.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.1.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a8343.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a8343.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a8343.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.3733506.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3733506.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.3733506.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.36b3258.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.36b3258.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.36b3258.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.26c680c.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.26c680c.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.373dd79.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.373dd79.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.711791152.000000000282E000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.912664757.0000000002322000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.912664757.0000000002322000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.710919789.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.710919789.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.710919789.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.717482187.0000000002200000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.717482187.0000000002200000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.717482187.0000000002200000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.911073120.00000000005B6000.00000004.00000020.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.911073120.00000000005B6000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.711053086.0000000000506000.00000004.00000020.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.711053086.0000000000506000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000000.693119154.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000000.693119154.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.716217507.00000000004D5000.00000004.00000020.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.716217507.00000000004D5000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.702734026.0000000002430000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.702734026.0000000002430000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.702734026.0000000002430000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.716130336.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.716130336.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.716130336.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.661434639.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.661434639.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.661434639.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.711912527.000000000385C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.912385111.00000000022D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.912385111.00000000022D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.912385111.00000000022D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.711854712.0000000003821000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.711854712.0000000003821000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.659439082.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.659439082.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.718225009.0000000004852000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.718225009.0000000004852000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.717924088.00000000036B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.717924088.00000000036B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000001.701171418.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000001.701171418.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000001.701171418.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.711556694.0000000002400000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.711556694.0000000002400000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.711556694.0000000002400000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.658682840.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.658682840.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000000.695033626.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000000.695033626.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.914348612.0000000005100000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.914348612.0000000005100000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000000.697903299.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000000.697903299.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.717789111.00000000026BE000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.914250318.0000000004E70000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.914250318.0000000004E70000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.910935866.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.910935866.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.910935866.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.697418143.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.697418143.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.697418143.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000000.700051302.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000000.700051302.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.914365735.0000000005110000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.914365735.0000000005110000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.711653141.0000000002472000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.711653141.0000000002472000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 4828, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 4828, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 6572, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5936, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5936, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5768, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5788, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5788, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6684, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030E3
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 11_2_004030E3
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00406043 0_2_00406043
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00404618 0_2_00404618
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_0040681A 0_2_0040681A
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10001280 0_2_10001280
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10008631 0_2_10008631
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10006E52 0_2_10006E52
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_100068E0 0_2_100068E0
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10010AF0 0_2_10010AF0
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10010AFF 0_2_10010AFF
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10005741 0_2_10005741
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_100073C4 0_2_100073C4
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_100095FD 0_2_100095FD
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_0040A2A5 3_2_0040A2A5
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00927ABE 3_2_00927ABE
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_0488B488 3_2_0488B488
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_04883850 3_2_04883850
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_04882FA8 3_2_04882FA8
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_048823A0 3_2_048823A0
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_04888BB8 3_2_04888BB8
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_048897B8 3_2_048897B8
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_0488306F 3_2_0488306F
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_0488987F 3_2_0488987F
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_1_0040A2A5 3_1_0040A2A5
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_00406043 11_2_00406043
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_00404618 11_2_00404618
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_0040681A 11_2_0040681A
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10001280 11_2_10001280
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10008631 11_2_10008631
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10006E52 11_2_10006E52
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_100068E0 11_2_100068E0
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10010AF0 11_2_10010AF0
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10010AFF 11_2_10010AFF
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10005741 11_2_10005741
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_100073C4 11_2_100073C4
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_100095FD 11_2_100095FD
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_0040A2A5 13_2_0040A2A5
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_049C2FA8 13_2_049C2FA8
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_049C23A0 13_2_049C23A0
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_049C306F 13_2_049C306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10001280 14_2_10001280
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10008631 14_2_10008631
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10006E52 14_2_10006E52
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_100068E0 14_2_100068E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10010AF0 14_2_10010AF0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10010AFF 14_2_10010AFF
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10005741 14_2_10005741
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_100073C4 14_2_100073C4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_100095FD 14_2_100095FD
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0040A2A5 15_2_0040A2A5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_048A2FA8 15_2_048A2FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_048A23A0 15_2_048A23A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_048A3850 15_2_048A3850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_048A306F 15_2_048A306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_1_0040A2A5 15_1_0040A2A5
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: String function: 004029E8 appears 48 times
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: String function: 0040592B appears 38 times
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: String function: 00401ED0 appears 69 times
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: String function: 0040569E appears 54 times
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: String function: 00401ED0 appears 46 times
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: String function: 0040569E appears 36 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_04A01942 NtQuerySystemInformation, 3_2_04A01942
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_04A01907 NtQuerySystemInformation, 3_2_04A01907
Sample file is different than original file name gathered from version info
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000000.00000003.656721396.0000000002C3F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000B.00000003.688633134.0000000002C3F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000D.00000002.711791152.000000000282E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000D.00000002.711791152.000000000282E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000D.00000002.711791152.000000000282E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000D.00000002.711912527.000000000385C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs Purchase Order - MULBERRY PTY LTD PO# 8083 .exe
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File read: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Jump to behavior
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe "C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe"
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe "C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe"
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5CB6.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6429.tmp
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe "C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe" 0
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe "C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe" 0
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Windows\System32\wuapihost.exe C:\Windows\System32\wuapihost.exe -Embedding
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe "C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5CB6.tmp Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6429.tmp Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe "C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe" 0 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_04A01702 AdjustTokenPrivileges, 3_2_04A01702
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_04A016CB AdjustTokenPrivileges, 3_2_04A016CB
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: C:\Users\user\AppData\Local\Temp\nsr50EB.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@16/12@0/2
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar, 0_2_00402012
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_0040411B
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.dhcpmon.exe.4850000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.dhcpmon.exe.4850000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{9cae05bf-9274-4cf6-bafd-b5dbdfafaaa0}
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 3_2_00401489
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.2.dhcpmon.exe.4850000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.2.dhcpmon.exe.4850000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 15.2.dhcpmon.exe.4850000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\xampp\htdocs\Loct\78db1e9ae9bb491b9cd0254e41b5746a\Loader\plcnhijn\Release\plcnhijn.pdb`+@? source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000000.00000002.660015658.0000000000409000.00000004.00020000.sdmp, Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000B.00000002.697505701.000000001000B000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.703412825.000000001000B000.00000002.00020000.sdmp, ymbom.dll.11.dr
Source: Binary string: scorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912643678.0000000002315000.00000004.00000040.sdmp
Source: Binary string: C:\xampp\htdocs\Loct\78db1e9ae9bb491b9cd0254e41b5746a\Loader\plcnhijn\Release\plcnhijn.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000000.00000002.660015658.0000000000409000.00000004.00020000.sdmp, Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000B.00000002.697505701.000000001000B000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.703412825.000000001000B000.00000002.00020000.sdmp, ymbom.dll.11.dr
Source: Binary string: wntdll.pdbUGP source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000000.00000003.650720959.0000000002B20000.00000004.00000001.sdmp, Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000B.00000003.692061997.0000000002B20000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.688134610.0000000002B70000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp, Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000D.00000002.711791152.000000000282E000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000000.00000003.650720959.0000000002B20000.00000004.00000001.sdmp, Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000B.00000003.692061997.0000000002B20000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.688134610.0000000002B70000.00000004.00000001.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912643678.0000000002315000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912643678.0000000002315000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbd source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912643678.0000000002315000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912643678.0000000002315000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Unpacked PE file: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Unpacked PE file: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Unpacked PE file: 15.2.dhcpmon.exe.4850000.10.unpack
.NET source code contains potential unpacker
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.dhcpmon.exe.4850000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.dhcpmon.exe.4850000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10012420 push eax; ret 0_2_100123D1
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_100118E8 push EC1000D5h; iretd 0_2_10011975
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10002B45 push ecx; ret 0_2_10002B58
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10012370 push eax; ret 0_2_100123D1
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10011978 pushfd ; retf 0_2_10011989
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_1001198C push EC1000D5h; iretd 0_2_10011975
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_100119B8 pushad ; retf 0_2_100119BD
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00401F16 push ecx; ret 3_2_00401F29
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_009274B8 push ebp; ret 3_2_009274B9
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_009274AC push ecx; ret 3_2_009274AD
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00929D74 push eax; retf 3_2_00929D75
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00929D78 pushad ; retf 3_2_00929D79
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_1_00401F16 push ecx; ret 3_1_00401F29
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10012420 push eax; ret 11_2_100123D1
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_100118E8 push EC1000D5h; iretd 11_2_10011975
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10002B45 push ecx; ret 11_2_10002B58
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10012370 push eax; ret 11_2_100123D1
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10011978 pushfd ; retf 11_2_10011989
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_1001198C push EC1000D5h; iretd 11_2_10011975
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_100119B8 pushad ; retf 11_2_100119BD
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_00401F16 push ecx; ret 13_2_00401F29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10012420 push eax; ret 14_2_100123D1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_100118E8 push EC1000D5h; iretd 14_2_10011975
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10002B45 push ecx; ret 14_2_10002B58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10012370 push eax; ret 14_2_100123D1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10011978 pushfd ; retf 14_2_10011989
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_1001198C push EC1000D5h; iretd 14_2_10011975
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_100119B8 pushad ; retf 14_2_100119BD
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00401F16 push ecx; ret 15_2_00401F29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0090080B push ss; retf 15_2_0090080C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_1_00401F16 push ecx; ret 15_1_00401F29
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405C49
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.2.dhcpmon.exe.4850000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.2.dhcpmon.exe.4850000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: \purchase order - mulberry pty ltd po# 8083 .exe
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: \purchase order - mulberry pty ltd po# 8083 .exe
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: \purchase order - mulberry pty ltd po# 8083 .exe
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: \purchase order - mulberry pty ltd po# 8083 .exe
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: \purchase order - mulberry pty ltd po# 8083 .exe
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: \purchase order - mulberry pty ltd po# 8083 .exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: \purchase order - mulberry pty ltd po# 8083 .exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: \purchase order - mulberry pty ltd po# 8083 .exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: \purchase order - mulberry pty ltd po# 8083 .exe Jump to behavior
Drops PE files
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File created: C:\Users\user\AppData\Local\Temp\nsj88F4.tmp\ymbom.dll Jump to dropped file
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: C:\Users\user\AppData\Local\Temp\nsm511B.tmp\ymbom.dll Jump to dropped file
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: C:\Users\user\AppData\Local\Temp\nsk7EB3.tmp\ymbom.dll Jump to dropped file
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5CB6.tmp

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe File opened: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe TID: 6896 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe TID: 5364 Thread sleep time: -160000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe TID: 2440 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe TID: 2572 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6980 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6972 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Window / User API: threadDelayed 560 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Window / User API: foregroundWindowGot 926 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_04A0142A GetSystemInfo, 3_2_04A0142A
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405250
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00405C22 FindFirstFileA,FindClose, 0_2_00405C22
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00404A29 FindFirstFileExW, 3_2_00404A29
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 11_2_00405250
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_00405C22 FindFirstFileA,FindClose, 11_2_00405C22
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_00402630 FindFirstFileA, 11_2_00402630
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_00404A29 FindFirstFileExW, 13_2_00404A29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00404A29 FindFirstFileExW, 15_2_00404A29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_1_00404A29 FindFirstFileExW, 15_1_00404A29
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe API call chain: ExitProcess graph end node
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.911124762.0000000000622000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_1000461A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_1000461A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_1000461A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_1000461A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405C49
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10001280 hqxmlwdbye,GetProcessHeap,RtlAllocateHeap,VirtualProtect, 0_2_10001280
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10010402 mov eax, dword ptr fs:[00000030h] 0_2_10010402
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10010616 mov eax, dword ptr fs:[00000030h] 0_2_10010616
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_100106C7 mov eax, dword ptr fs:[00000030h] 0_2_100106C7
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10010706 mov eax, dword ptr fs:[00000030h] 0_2_10010706
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10010744 mov eax, dword ptr fs:[00000030h] 0_2_10010744
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_004035F1 mov eax, dword ptr fs:[00000030h] 3_2_004035F1
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_1_004035F1 mov eax, dword ptr fs:[00000030h] 3_1_004035F1
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10010402 mov eax, dword ptr fs:[00000030h] 11_2_10010402
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10010616 mov eax, dword ptr fs:[00000030h] 11_2_10010616
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_100106C7 mov eax, dword ptr fs:[00000030h] 11_2_100106C7
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10010706 mov eax, dword ptr fs:[00000030h] 11_2_10010706
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_10010744 mov eax, dword ptr fs:[00000030h] 11_2_10010744
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_004035F1 mov eax, dword ptr fs:[00000030h] 13_2_004035F1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10010402 mov eax, dword ptr fs:[00000030h] 14_2_10010402
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10010616 mov eax, dword ptr fs:[00000030h] 14_2_10010616
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_100106C7 mov eax, dword ptr fs:[00000030h] 14_2_100106C7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10010706 mov eax, dword ptr fs:[00000030h] 14_2_10010706
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_10010744 mov eax, dword ptr fs:[00000030h] 14_2_10010744
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_004035F1 mov eax, dword ptr fs:[00000030h] 15_2_004035F1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_1_004035F1 mov eax, dword ptr fs:[00000030h] 15_1_004035F1
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_1000237E SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_1000237E
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00401E1D SetUnhandledExceptionFilter, 3_2_00401E1D
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0040446F
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00401C88
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00401F30
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_1_00401E1D SetUnhandledExceptionFilter, 3_1_00401E1D
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 11_2_1000237E SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1000237E
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_00401E1D SetUnhandledExceptionFilter, 13_2_00401E1D
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_0040446F
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00401C88
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 13_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00401F30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_1000237E SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_1000237E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00401E1D SetUnhandledExceptionFilter, 15_2_00401E1D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_0040446F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00401C88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00401F30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_1_00401E1D SetUnhandledExceptionFilter, 15_1_00401E1D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_1_0040446F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_1_00401C88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_1_00401F30

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Memory written: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Memory written: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe "C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5CB6.tmp Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6429.tmp Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Process created: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe "C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe" 0 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 Jump to behavior
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.911124762.0000000000622000.00000004.00000020.sdmp Binary or memory string: bProgram Manager
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.912933688.0000000002746000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.911789655.0000000000DC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.911789655.0000000000DC0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.911124762.0000000000622000.00000004.00000020.sdmp Binary or memory string: iqProgram Manager
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.911789655.0000000000DC0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_10001EDA cpuid 0_2_10001EDA
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_00401B74
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 0_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_0040594D
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_0091B0CA GetUserNameW, 3_2_0091B0CA

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2441458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.373dd79.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3738343.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.2200000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.2200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e5730.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3738343.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5114629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2441458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e5730.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4850000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.36b3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a8343.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3733506.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.36b3258.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.373dd79.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912664757.0000000002322000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.710919789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.717482187.0000000002200000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.911073120.00000000005B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711053086.0000000000506000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.693119154.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.716217507.00000000004D5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.702734026.0000000002430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.716130336.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.661434639.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711912527.000000000385C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912385111.00000000022D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711854712.0000000003821000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.659439082.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.718225009.0000000004852000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.717924088.00000000036B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912764065.00000000026B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.701171418.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711556694.0000000002400000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.658682840.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.695033626.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.697903299.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.910935866.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.697418143.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.700051302.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.914365735.0000000005110000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711653141.0000000002472000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 4828, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 6572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6684, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000000.00000002.661434639.0000000002940000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe String found in binary or memory: NanoCore.ClientPluginHost
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000B.00000002.697418143.0000000002940000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe String found in binary or memory: NanoCore.ClientPluginHost
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000D.00000002.711791152.000000000282E000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe, 0000000D.00000002.711791152.000000000282E000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: dhcpmon.exe, 0000000E.00000002.702734026.0000000002430000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Yara detected Nanocore RAT
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2441458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.373dd79.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3738343.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2320000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2470000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.2200000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.2200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2951458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e5730.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5c3780.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.373dd79.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3738343.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.22d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3823258.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5114629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a3506.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38add79.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2441458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.5110000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e5730.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.3733506.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4850000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.2940000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.36b3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.513890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.38a8343.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3733506.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.36b3258.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.373dd79.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.Purchase Order - MULBERRY PTY LTD PO# 8083 .exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.717988844.00000000036EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912664757.0000000002322000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.710919789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.717482187.0000000002200000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.911073120.00000000005B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.913617179.000000000372C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711053086.0000000000506000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.693119154.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.716217507.00000000004D5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.702734026.0000000002430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.716130336.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.661434639.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711912527.000000000385C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912385111.00000000022D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711854712.0000000003821000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.659439082.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.718225009.0000000004852000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.717924088.00000000036B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.912764065.00000000026B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.701171418.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711556694.0000000002400000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.658682840.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.695033626.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.697903299.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.910935866.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.697418143.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.700051302.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.914365735.0000000005110000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.711653141.0000000002472000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 4828, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 6572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order - MULBERRY PTY LTD PO# 8083 .exe PID: 5768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6684, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_04A02A66 bind, 3_2_04A02A66
Source: C:\Users\user\Desktop\Purchase Order - MULBERRY PTY LTD PO# 8083 .exe Code function: 3_2_04A02A33 bind, 3_2_04A02A33
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526064 Sample: Purchase Order - MULBERRY P... Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 11 other signatures 2->64 8 Purchase Order - MULBERRY PTY LTD PO# 8083 .exe 17 2->8         started        13 dhcpmon.exe 16 2->13         started        15 Purchase Order - MULBERRY PTY LTD PO# 8083 .exe 16 2->15         started        process3 dnsIp4 56 192.168.2.1 unknown unknown 8->56 48 C:\Users\user\AppData\Local\...\ymbom.dll, PE32 8->48 dropped 68 Injects a PE file into a foreign processes 8->68 17 Purchase Order - MULBERRY PTY LTD PO# 8083 .exe 1 14 8->17         started        50 C:\Users\user\AppData\Local\...\ymbom.dll, PE32 13->50 dropped 22 dhcpmon.exe 3 13->22         started        52 C:\Users\user\AppData\Local\...\ymbom.dll, PE32 15->52 dropped 24 Purchase Order - MULBERRY PTY LTD PO# 8083 .exe 3 15->24         started        file5 signatures6 process7 dnsIp8 54 79.134.225.112, 6432 FINK-TELECOM-SERVICESCH Switzerland 17->54 36 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->36 dropped 38 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 17->38 dropped 40 C:\Users\user\AppData\Local\...\tmp5CB6.tmp, XML 17->40 dropped 42 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 17->42 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->66 26 schtasks.exe 1 17->26         started        28 schtasks.exe 1 17->28         started        30 wuapihost.exe 17->30         started        44 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 22->44 dropped 46 Purchase Order - M...D PO# 8083 .exe.log, ASCII 24->46 dropped file9 signatures10 process11 process12 32 conhost.exe 26->32         started        34 conhost.exe 28->34         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.134.225.112
 unknown Switzerland
6775 FINK-TELECOM-SERVICESCH true

Private
IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
79.134.225.112 true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown