Windows Analysis Report purchase order Nl32855 (1).exe

Overview

General Information

Sample Name: purchase order Nl32855 (1).exe
Analysis ID: 526200
MD5: c466151570c893f56d548a9689155656
SHA1: 3e779ff5c71f319fc2d3bd4fc577c4769873c47c
SHA256: dee5267af261b8e291b83b01b12c4149204b20754cd1714bd974ae1dae447a44
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Initial sample is a PE file and has a suspicious name
Connects to many ports of the same IP (likely port scanning)
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6c7be0fb-d973-4d3c-b342-92a2df7c", "Group": "Wiz", "Domain1": "lizaelock.ddns.net", "Domain2": "", "Port": 52149, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exe ReversingLabs: Detection: 20%
Yara detected Nanocore RAT
Source: Yara match File source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.917874645.000000000446B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR
Machine Learning detection for sample
Source: purchase order Nl32855 (1).exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack Avira: Label: TR/NanoCore.fadte
Source: 20.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.0.dhcpmon.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.0.dhcpmon.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.0.dhcpmon.exe.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack Avira: Label: TR/NanoCore.fadte
Source: 20.0.dhcpmon.exe.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.0.dhcpmon.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: purchase order Nl32855 (1).exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: purchase order Nl32855 (1).exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 4x nop then jmp 029B6D31h 0_2_029B6C28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 4x nop then jmp 029B6D31h 0_2_029B6C18
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 4x nop then mov esp, ebp 7_2_018D8920
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 4x nop then jmp 05596D31h 10_2_05596C28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 4x nop then jmp 05596D31h 10_2_05596C18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then jmp 02CE6D31h 14_2_02CE6C28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then jmp 02CE6D31h 14_2_02CE6C18

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49788 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49794 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49823 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49825 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49831 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49833 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49852 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49857 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49860 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49863 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49864 -> 194.5.98.139:52149
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49865 -> 194.5.98.139:52149
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 194.5.98.139 ports 1,2,4,5,9,52149
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: lizaelock.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: lizaelock.ddns.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49779 -> 194.5.98.139:52149
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: purchase order Nl32855 (1).exe, 00000000.00000002.676055738.0000000002F01000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 0000000A.00000002.703727445.0000000003391000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.713454690.00000000031D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.731487632.0000000002C91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/REFRWFWFGB.xsdX1
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com8
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comTC
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comal
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comc
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653679924.00000000051CE000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comgy
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: purchase order Nl32855 (1).exe, 00000000.00000003.655594413.00000000051CD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers)
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000000.00000003.655797740.00000000051CD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: purchase order Nl32855 (1).exe, 00000000.00000003.660776049.00000000051CD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers6
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: purchase order Nl32855 (1).exe, 00000000.00000003.655594413.00000000051CD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers:
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: purchase order Nl32855 (1).exe, 00000000.00000003.655572984.00000000051CD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersN
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656766671.00000000051CD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersb
Source: purchase order Nl32855 (1).exe, 00000000.00000003.655412203.00000000051CD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersers
Source: purchase order Nl32855 (1).exe, 00000000.00000003.660819604.00000000051CD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersers6
Source: purchase order Nl32855 (1).exe, 00000000.00000003.655412203.00000000051CD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerso
Source: purchase order Nl32855 (1).exe, 00000000.00000003.660853088.00000000051CD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerst
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomov
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comiond
Source: purchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comlvfet
Source: purchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.commiv
Source: purchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comtteo
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comueed
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comTF
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comc
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651102643.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comicy
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comro
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comx
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653115791.0000000005194000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: purchase order Nl32855 (1).exe, 00000000.00000003.658391644.000000000519D000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651123603.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com-d
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651123603.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.coma-d
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: purchase order Nl32855 (1).exe, 00000000.00000003.652184825.0000000005199000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krl)
Source: purchase order Nl32855 (1).exe, 00000000.00000003.652184825.0000000005199000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krn
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000000.00000003.651256695.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651256695.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com.
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651276008.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com8
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651301668.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comcoo
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: lizaelock.ddns.net
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_05602FE2 WSARecv, 7_2_05602FE2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: purchase order Nl32855 (1).exe, 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.917874645.000000000446B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR

Operating System Destruction:

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process information set: 01 00 00 00 Jump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.34e8b54.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.purchase order Nl32855 (1).exe.3328aac.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.34e3ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.450ec86.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.purchase order Nl32855 (1).exe.5ff0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.38a8b54.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.38a3ac8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.34e3ac8.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.purchase order Nl32855 (1).exe.5d50000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.38a3ac8.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.48cec86.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.purchase order Nl32855 (1).exe.34264a4.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.922681658.0000000005FF0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.922602924.0000000005D50000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: purchase order Nl32855 (1).exe
Uses 32bit PE files
Source: purchase order Nl32855 (1).exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.34e8b54.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.34e8b54.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.purchase order Nl32855 (1).exe.3328aac.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.purchase order Nl32855 (1).exe.3328aac.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.34e3ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.34e3ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.450ec86.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.450ec86.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.purchase order Nl32855 (1).exe.5ff0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.5ff0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.38a8b54.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.38a8b54.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.dhcpmon.exe.38a3ac8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.38a3ac8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.34e3ac8.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.34e3ac8.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.purchase order Nl32855 (1).exe.5d50000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.5d50000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.38a3ac8.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.38a3ac8.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.48cec86.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.48cec86.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.purchase order Nl32855 (1).exe.34264a4.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.34264a4.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.922681658.0000000005FF0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.922681658.0000000005FF0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.922602924.0000000005D50000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.922602924.0000000005D50000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_00619A7C 0_2_00619A7C
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_029B0EE0 0_2_029B0EE0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_029BF438 0_2_029BF438
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_029B6C28 0_2_029B6C28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_029B7F98 0_2_029B7F98
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_029BD5C0 0_2_029BD5C0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_029B5768 0_2_029B5768
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_029B6C18 0_2_029B6C18
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_029B575A 0_2_029B575A
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A6B220 0_2_06A6B220
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A61E28 0_2_06A61E28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A681E0 0_2_06A681E0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A60D38 0_2_06A60D38
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A61560 0_2_06A61560
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A686A0 0_2_06A686A0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A68691 0_2_06A68691
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A6B6E8 0_2_06A6B6E8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A69AF0 0_2_06A69AF0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A6C6D8 0_2_06A6C6D8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A64A20 0_2_06A64A20
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A64E2A 0_2_06A64E2A
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A60230 0_2_06A60230
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A64E38 0_2_06A64E38
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A63A08 0_2_06A63A08
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A64A10 0_2_06A64A10
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A65A11 0_2_06A65A11
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A64FD8 0_2_06A64FD8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A69B00 0_2_06A69B00
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A6AB40 0_2_06A6AB40
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A60CB9 0_2_06A60CB9
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A64480 0_2_06A64480
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A64490 0_2_06A64490
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A69498 0_2_06A69498
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A64C08 0_2_06A64C08
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A64C18 0_2_06A64C18
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A69879 0_2_06A69879
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A68C50 0_2_06A68C50
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A639FA 0_2_06A639FA
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 0_2_06A681CF 0_2_06A681CF
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_00C39A7C 7_2_00C39A7C
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_018D2FA8 7_2_018D2FA8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_018D23A0 7_2_018D23A0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_018DB748 7_2_018DB748
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_018D9A78 7_2_018D9A78
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_018D8E78 7_2_018D8E78
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_018D306F 7_2_018D306F
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_018D9B3F 7_2_018D9B3F
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_018DD298 7_2_018DD298
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_00CF9A7C 10_2_00CF9A7C
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_05595758 10_2_05595758
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_05597F98 10_2_05597F98
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_05596C28 10_2_05596C28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_05590EE0 10_2_05590EE0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_05596C18 10_2_05596C18
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08561560 10_2_08561560
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08560D38 10_2_08560D38
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_085681E0 10_2_085681E0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_0856B1A0 10_2_0856B1A0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08561E28 10_2_08561E28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08568C50 10_2_08568C50
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08568C10 10_2_08568C10
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08564C18 10_2_08564C18
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08564C08 10_2_08564C08
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08564490 10_2_08564490
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08560C99 10_2_08560C99
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08564480 10_2_08564480
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_085681CF 10_2_085681CF
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_085639FA 10_2_085639FA
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_0856C658 10_2_0856C658
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_0856B668 10_2_0856B668
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08564A10 10_2_08564A10
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08563A08 10_2_08563A08
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08560230 10_2_08560230
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08564E38 10_2_08564E38
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08564A20 10_2_08564A20
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08564E2A 10_2_08564E2A
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08568691 10_2_08568691
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_085686A0 10_2_085686A0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_0856AB40 10_2_0856AB40
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08569B00 10_2_08569B00
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 10_2_08564FD8 10_2_08564FD8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_00879A7C 14_2_00879A7C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_02CE0EE0 14_2_02CE0EE0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_02CEE019 14_2_02CEE019
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_02CE6C28 14_2_02CE6C28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_02CEF428 14_2_02CEF428
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_02CE7F98 14_2_02CE7F98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_02CED5B0 14_2_02CED5B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_02CE6C18 14_2_02CE6C18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C1E28 14_2_069C1E28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069CB1A0 14_2_069CB1A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C81E0 14_2_069C81E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C0D38 14_2_069C0D38
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C1560 14_2_069C1560
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C8691 14_2_069C8691
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C86A0 14_2_069C86A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C9AF0 14_2_069C9AF0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C4A10 14_2_069C4A10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C5A11 14_2_069C5A11
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C3A08 14_2_069C3A08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C4E38 14_2_069C4E38
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C0230 14_2_069C0230
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C4E2B 14_2_069C4E2B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C4A20 14_2_069C4A20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069CC658 14_2_069CC658
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069CB668 14_2_069CB668
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C4FD8 14_2_069C4FD8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C9B00 14_2_069C9B00
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069CAB40 14_2_069CAB40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C9498 14_2_069C9498
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C4490 14_2_069C4490
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C4480 14_2_069C4480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C0CB9 14_2_069C0CB9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C4C18 14_2_069C4C18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C8C10 14_2_069C8C10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C4C08 14_2_069C4C08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C8C50 14_2_069C8C50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C9879 14_2_069C9879
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C81CF 14_2_069C81CF
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C39FB 14_2_069C39FB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_069C1970 14_2_069C1970
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 16_2_00A69A7C 16_2_00A69A7C
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 16_2_054523A0 16_2_054523A0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 16_2_05452FA8 16_2_05452FA8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 16_2_0545306F 16_2_0545306F
Contains functionality to call native functions
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_05601772 NtSetInformationProcess, 7_2_05601772
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_05601A36 NtQuerySystemInformation, 7_2_05601A36
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_05601741 NtSetInformationProcess, 7_2_05601741
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Code function: 7_2_056019FB NtQuerySystemInformation, 7_2_056019FB
PE file contains executable resources (Code or Archives)
Source: purchase order Nl32855 (1).exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: qZEskWcTYJLciB.exe.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: dhcpmon.exe.7.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: purchase order Nl32855 (1).exe Binary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678257023.0000000005130000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000000.00000002.676152952.0000000002F8C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000000.00000002.674723416.0000000000612000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe Binary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000000.673881959.0000000000C32000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917081627.000000000143A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe Binary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 0000000A.00000002.703781417.00000000033D2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 0000000A.00000002.701989732.0000000000CF2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 0000000A.00000002.703004416.0000000001479000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe Binary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000010.00000000.701139570.0000000000A62000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe Binary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: qZEskWcTYJLciB.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe File read: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Jump to behavior
Source: purchase order Nl32855 (1).exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe "C:\Users\user\Desktop\purchase order Nl32855 (1).exe"
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F1D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe "C:\Users\user\Desktop\purchase order Nl32855 (1).exe" 0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2A39.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpE496.tmp
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpF1A6.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path} Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F1D.tmp Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2A39.tmp Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpE496.tmp Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path} Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpF1A6.tmp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path} Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpD.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe