Play interactive tour

Edit tour

Windows Analysis Report G2M8C76V_INV0ICE_RECEIPT.exe

Overview

General Information

Sample Name:	G2M8C76V_INV0ICE_RECEIPT.exe
Analysis ID:	552628
MD5:	d272e884f59ff9d7921619f88766709d
SHA1:	b9013dcffc28e174c1cb7d81fd46b6463b4ff579
SHA256:	94a00e5d13eebc1a99dd48e2d9f9cb48935c424c6bd58ab9f6d78ff0caa36506
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Detected unpacking (creates a PE file in dynamic memory)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

G2M8C76V_INV0ICE_RECEIPT.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" MD5: D272E884F59FF9D7921619F88766709D)

G2M8C76V_INV0ICE_RECEIPT.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" MD5: D272E884F59FF9D7921619F88766709D)

chmac.exe (PID: 6288 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: D272E884F59FF9D7921619F88766709D)

chmac.exe (PID: 6556 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: D272E884F59FF9D7921619F88766709D)

chmac.exe (PID: 6760 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: D272E884F59FF9D7921619F88766709D)

chmac.exe (PID: 6820 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: D272E884F59FF9D7921619F88766709D)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1f8684ca-0835-4252-89d1-4a2b1be1", "Group": "boy of john", "Domain1": "boyhome5100.duckdns.org", "Domain2": "boyhome5100.duckdns.org", "Port": 5100, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x122d3:$c: ProjectData 0x12cda:$d: DESCrypto 0x1a6a6:$e: KeepAlive 0x18694:$g: LogClientMessage 0x1488f:$i: get_Connected 0x13010:$j: #=q 0x13040:$j: #=q 0x1305c:$j: #=q 0x1308c:$j: #=q 0x130a8:$j: #=q 0x130c4:$j: #=q 0x130f4:$j: #=q 0x13110:$j: #=q
0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x24415:$x1: NanoCore.ClientPluginHost 0x24452:$x2: IClientNetworkHost 0x27f85:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbb80:$a: NanoCore 0x2417d:$a: NanoCore 0x2418d:$a: NanoCore 0x243c1:$a: NanoCore 0x243d5:$a: NanoCore 0x24415:$a: NanoCore 0x241dc:$b: ClientPlugin 0x243de:$b: ClientPlugin 0x2441e:$b: ClientPlugin 0x24303:$c: ProjectData 0x24d0a:$d: DESCrypto 0x2c6d6:$e: KeepAlive 0x2a6c4:$g: LogClientMessage 0x268bf:$i: get_Connected 0x25040:$j: #=q 0x25070:$j: #=q 0x2508c:$j: #=q 0x250bc:$j: #=q 0x250d8:$j: #=q 0x250f4:$j: #=q 0x25124:$j: #=q
0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x26b45:$x1: NanoCore.ClientPluginHost 0x26b82:$x2: IClientNetworkHost 0x2a6b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6988:$a: NanoCore 0x268ad:$a: NanoCore 0x268bd:$a: NanoCore 0x26af1:$a: NanoCore 0x26b05:$a: NanoCore 0x26b45:$a: NanoCore 0x2690c:$b: ClientPlugin 0x26b0e:$b: ClientPlugin 0x26b4e:$b: ClientPlugin 0x26a33:$c: ProjectData 0x2743a:$d: DESCrypto 0x2ee06:$e: KeepAlive 0x2cdf4:$g: LogClientMessage 0x28fef:$i: get_Connected 0x27770:$j: #=q 0x277a0:$j: #=q 0x277bc:$j: #=q 0x277ec:$j: #=q 0x27808:$j: #=q 0x27824:$j: #=q 0x27854:$j: #=q
00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x122d3:$c: ProjectData 0x12cda:$d: DESCrypto 0x1a6a6:$e: KeepAlive 0x18694:$g: LogClientMessage 0x1488f:$i: get_Connected 0x13010:$j: #=q 0x13040:$j: #=q 0x1305c:$j: #=q 0x1308c:$j: #=q 0x130a8:$j: #=q 0x130c4:$j: #=q 0x130f4:$j: #=q 0x13110:$j: #=q
00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19667:$a: NanoCore 0x196c0:$a: NanoCore 0x196fd:$a: NanoCore 0x19776:$a: NanoCore 0x196c9:$b: ClientPlugin 0x19706:$b: ClientPlugin 0x1a004:$b: ClientPlugin 0x1a011:$b: ClientPlugin 0x10ed0:$e: KeepAlive 0x19b51:$g: LogClientMessage 0x19ad1:$i: get_Connected 0xb699:$j: #=q 0xb6c9:$j: #=q 0xb705:$j: #=q 0xb72d:$j: #=q 0xb75d:$j: #=q 0xb78d:$j: #=q 0xb7bd:$j: #=q 0xb7ed:$j: #=q 0xb809:$j: #=q 0xb839:$j: #=q
00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42dfd:$a: NanoCore 0x42e56:$a: NanoCore 0x42e93:$a: NanoCore 0x42f0c:$a: NanoCore 0x565b7:$a: NanoCore 0x565cc:$a: NanoCore 0x56601:$a: NanoCore 0x6f093:$a: NanoCore 0x6f0a8:$a: NanoCore 0x6f0dd:$a: NanoCore 0x42e5f:$b: ClientPlugin 0x42e9c:$b: ClientPlugin 0x4379a:$b: ClientPlugin 0x437a7:$b: ClientPlugin 0x56373:$b: ClientPlugin 0x5638e:$b: ClientPlugin 0x563be:$b: ClientPlugin 0x565d5:$b: ClientPlugin 0x5660a:$b: ClientPlugin 0x6ee4f:$b: ClientPlugin 0x6ee6a:$b: ClientPlugin
0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42dfd:$a: NanoCore 0x42e56:$a: NanoCore 0x42e93:$a: NanoCore 0x42f0c:$a: NanoCore 0x565b7:$a: NanoCore 0x565cc:$a: NanoCore 0x56601:$a: NanoCore 0x6f093:$a: NanoCore 0x6f0a8:$a: NanoCore 0x6f0dd:$a: NanoCore 0x42e5f:$b: ClientPlugin 0x42e9c:$b: ClientPlugin 0x4379a:$b: ClientPlugin 0x437a7:$b: ClientPlugin 0x56373:$b: ClientPlugin 0x5638e:$b: ClientPlugin 0x563be:$b: ClientPlugin 0x565d5:$b: ClientPlugin 0x5660a:$b: ClientPlugin 0x6ee4f:$b: ClientPlugin 0x6ee6a:$b: ClientPlugin
00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19667:$a: NanoCore 0x196c0:$a: NanoCore 0x196fd:$a: NanoCore 0x19776:$a: NanoCore 0x196c9:$b: ClientPlugin 0x19706:$b: ClientPlugin 0x1a004:$b: ClientPlugin 0x1a011:$b: ClientPlugin 0x10ed0:$e: KeepAlive 0x19b51:$g: LogClientMessage 0x19ad1:$i: get_Connected 0xb699:$j: #=q 0xb6c9:$j: #=q 0xb705:$j: #=q 0xb72d:$j: #=q 0xb75d:$j: #=q 0xb78d:$j: #=q 0xb7bd:$j: #=q 0xb7ed:$j: #=q 0xb809:$j: #=q 0xb839:$j: #=q
00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xda5d9:$x1: NanoCore.ClientPluginHost 0xda616:$x2: IClientNetworkHost 0xde107:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe9146:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xda2a6:$a: NanoCore 0xda2b6:$a: NanoCore 0xda375:$a: NanoCore 0xda384:$a: NanoCore 0xda585:$a: NanoCore 0xda599:$a: NanoCore 0xda5d9:$a: NanoCore 0xe57b0:$a: NanoCore 0xe57c2:$a: NanoCore 0xe57fe:$a: NanoCore 0xda305:$b: ClientPlugin 0xda3ce:$b: ClientPlugin 0xda5a2:$b: ClientPlugin 0xda5e2:$b: ClientPlugin 0xe57cb:$b: ClientPlugin 0xe5807:$b: ClientPlugin 0xda4c7:$c: ProjectData 0xe56fd:$c: ProjectData 0xdae9b:$d: DESCrypto 0xe605b:$d: DESCrypto 0xe2858:$e: KeepAlive
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb6c3a:$x1: NanoCore.ClientPluginHost 0xb6c77:$x2: IClientNetworkHost 0xba768:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc57ee:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb6907:$a: NanoCore 0xb6917:$a: NanoCore 0xb69d6:$a: NanoCore 0xb69e5:$a: NanoCore 0xb6be6:$a: NanoCore 0xb6bfa:$a: NanoCore 0xb6c3a:$a: NanoCore 0xc1e58:$a: NanoCore 0xc1e6a:$a: NanoCore 0xc1ea6:$a: NanoCore 0xb6966:$b: ClientPlugin 0xb6a2f:$b: ClientPlugin 0xb6c03:$b: ClientPlugin 0xb6c43:$b: ClientPlugin 0xc1e73:$b: ClientPlugin 0xc1eaf:$b: ClientPlugin 0xb6b28:$c: ProjectData 0xc1da5:$c: ProjectData 0xb74fc:$d: DESCrypto 0xc2703:$d: DESCrypto 0xbeeb9:$e: KeepAlive
Process Memory Space: chmac.exe PID: 6288	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xcd053:$x1: NanoCore.ClientPluginHost 0xcd090:$x2: IClientNetworkHost 0xd0b81:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xdbbc0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 6288	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 6288	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xccd20:$a: NanoCore 0xccd30:$a: NanoCore 0xccdef:$a: NanoCore 0xccdfe:$a: NanoCore 0xccfff:$a: NanoCore 0xcd013:$a: NanoCore 0xcd053:$a: NanoCore 0xd822a:$a: NanoCore 0xd823c:$a: NanoCore 0xd8278:$a: NanoCore 0xccd7f:$b: ClientPlugin 0xcce48:$b: ClientPlugin 0xcd01c:$b: ClientPlugin 0xcd05c:$b: ClientPlugin 0xd8245:$b: ClientPlugin 0xd8281:$b: ClientPlugin 0xccf41:$c: ProjectData 0xd8177:$c: ProjectData 0xcd915:$d: DESCrypto 0xd8ad5:$d: DESCrypto 0xd52d2:$e: KeepAlive
Process Memory Space: chmac.exe PID: 6556	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe9f:$x1: NanoCore.ClientPluginHost 0x1dbb4:$x1: NanoCore.ClientPluginHost 0x4912e:$x1: NanoCore.ClientPluginHost 0x5fee3:$x1: NanoCore.ClientPluginHost 0x7e9b1:$x1: NanoCore.ClientPluginHost 0x97413:$x1: NanoCore.ClientPluginHost 0xb267a:$x1: NanoCore.ClientPluginHost 0xedc:$x2: IClientNetworkHost 0x1dbf1:$x2: IClientNetworkHost 0x4916b:$x2: IClientNetworkHost 0x5ff20:$x2: IClientNetworkHost 0x7e9ee:$x2: IClientNetworkHost 0x9742d:$x2: IClientNetworkHost 0xb2694:$x2: IClientNetworkHost 0x49cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfa53:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x216e2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2c768:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4cc5c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x57ce2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x63a11:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 6556	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 6556	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb6c:$a: NanoCore 0xb7c:$a: NanoCore 0xc3b:$a: NanoCore 0xc4a:$a: NanoCore 0xe4b:$a: NanoCore 0xe5f:$a: NanoCore 0xe9f:$a: NanoCore 0xc0bd:$a: NanoCore 0xc0cf:$a: NanoCore 0xc10b:$a: NanoCore 0x18589:$a: NanoCore 0x185f6:$a: NanoCore 0x18669:$a: NanoCore 0x1d881:$a: NanoCore 0x1d891:$a: NanoCore 0x1d950:$a: NanoCore 0x1d95f:$a: NanoCore 0x1db60:$a: NanoCore 0x1db74:$a: NanoCore 0x1dbb4:$a: NanoCore 0x28dd2:$a: NanoCore
Process Memory Space: chmac.exe PID: 6760	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc5e1d:$x1: NanoCore.ClientPluginHost 0xc5e5a:$x2: IClientNetworkHost 0xc994b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd498a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 6760	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 6760	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc5aea:$a: NanoCore 0xc5afa:$a: NanoCore 0xc5bb9:$a: NanoCore 0xc5bc8:$a: NanoCore 0xc5dc9:$a: NanoCore 0xc5ddd:$a: NanoCore 0xc5e1d:$a: NanoCore 0xd0ff4:$a: NanoCore 0xd1006:$a: NanoCore 0xd1042:$a: NanoCore 0xc5b49:$b: ClientPlugin 0xc5c12:$b: ClientPlugin 0xc5de6:$b: ClientPlugin 0xc5e26:$b: ClientPlugin 0xd100f:$b: ClientPlugin 0xd104b:$b: ClientPlugin 0xc5d0b:$c: ProjectData 0xd0f41:$c: ProjectData 0xc66df:$d: DESCrypto 0xd189f:$d: DESCrypto 0xce09c:$e: KeepAlive
Process Memory Space: chmac.exe PID: 6820	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e5c:$x1: NanoCore.ClientPluginHost 0x3153f:$x1: NanoCore.ClientPluginHost 0x49b65:$x1: NanoCore.ClientPluginHost 0x6d6be:$x1: NanoCore.ClientPluginHost 0x723f9:$x1: NanoCore.ClientPluginHost 0x8b188:$x1: NanoCore.ClientPluginHost 0x9ea16:$x1: NanoCore.ClientPluginHost 0x16e99:$x2: IClientNetworkHost 0x3157c:$x2: IClientNetworkHost 0x49ba2:$x2: IClientNetworkHost 0x6d6d8:$x2: IClientNetworkHost 0x72436:$x2: IClientNetworkHost 0x8b1a2:$x2: IClientNetworkHost 0x9ea53:$x2: IClientNetworkHost 0x1a98a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x25a10:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3506d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x400f3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4d693:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x58719:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x75f27:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 6820	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 6820	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x279e:$a: NanoCore 0x280b:$a: NanoCore 0x287e:$a: NanoCore 0x16b29:$a: NanoCore 0x16b39:$a: NanoCore 0x16bf8:$a: NanoCore 0x16c07:$a: NanoCore 0x16e08:$a: NanoCore 0x16e1c:$a: NanoCore 0x16e5c:$a: NanoCore 0x2207a:$a: NanoCore 0x2208c:$a: NanoCore 0x220c8:$a: NanoCore 0x3120c:$a: NanoCore 0x3121c:$a: NanoCore 0x312db:$a: NanoCore 0x312ea:$a: NanoCore 0x314eb:$a: NanoCore 0x314ff:$a: NanoCore 0x3153f:$a: NanoCore 0x3c75d:$a: NanoCore
Click to see the 92 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.chmac.exe.2906888.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
16.2.chmac.exe.2906888.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.2.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.chmac.exe.415058.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.415058.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.2.chmac.exe.38e3258.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.38e3258.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.chmac.exe.38e3258.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.38e3258.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.0.chmac.exe.415058.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.415058.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.0.chmac.exe.415058.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.415058.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.0.chmac.exe.415058.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.415058.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.chmac.exe.4830000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.4830000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.chmac.exe.4830000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.4830000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.1.chmac.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.1.chmac.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.37b0e54.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.chmac.exe.37b0e54.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.chmac.exe.37b0e54.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.658288.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.658288.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.chmac.exe.658288.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.658288.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.chmac.exe.24b0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.24b0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.chmac.exe.24b0000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.24b0000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.0.chmac.exe.415058.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.415058.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.chmac.exe.50a9b8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.50a9b8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.chmac.exe.50a9b8.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.50a9b8.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
16.2.chmac.exe.658288.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.658288.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.chmac.exe.658288.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.658288.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.1.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.1.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
13.2.chmac.exe.3011458.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.chmac.exe.3011458.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.chmac.exe.3011458.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.chmac.exe.3011458.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.1.chmac.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.1.chmac.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.chmac.exe.2756888.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.chmac.exe.2756888.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
16.2.chmac.exe.415058.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.415058.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.chmac.exe.415058.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.415058.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.1.chmac.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.1.chmac.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.1.chmac.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.1.chmac.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.chmac.exe.3000000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.chmac.exe.3000000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
13.2.chmac.exe.3000000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.chmac.exe.3000000.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.415058.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.415058.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.chmac.exe.415058.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.415058.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.chmac.exe.2540000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.chmac.exe.2540000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
15.2.chmac.exe.2540000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.chmac.exe.2540000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
15.2.chmac.exe.2551458.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.chmac.exe.2551458.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.2.chmac.exe.2551458.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.chmac.exe.2551458.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.chmac.exe.37ac01e.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0bf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0ec:$x2: IClientNetworkHost
14.2.chmac.exe.37ac01e.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0bf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e19a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0d9:$s5: IClientLoggingHost
14.2.chmac.exe.37ac01e.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.37ac01e.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d075:$a: NanoCore 0x2d08a:$a: NanoCore 0x2d0bf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce31:$b: ClientPlugin 0x2ce4c:$b: ClientPlugin
14.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.chmac.exe.3011458.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.chmac.exe.3011458.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
13.2.chmac.exe.3011458.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.chmac.exe.3011458.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.37b547d.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c60:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c8d:$x2: IClientNetworkHost
14.2.chmac.exe.37b547d.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c60:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d3b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c7a:$s5: IClientLoggingHost
14.2.chmac.exe.37b547d.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.3960e54.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
16.2.chmac.exe.3960e54.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
16.2.chmac.exe.3960e54.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.chmac.exe.3733258.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.3733258.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.chmac.exe.3733258.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.3733258.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.2.chmac.exe.400000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.400000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
16.2.chmac.exe.400000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.400000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
13.2.chmac.exe.3000000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.chmac.exe.3000000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
13.2.chmac.exe.3000000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.chmac.exe.3000000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
14.2.chmac.exe.50a9b8.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.50a9b8.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.chmac.exe.50a9b8.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.50a9b8.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.chmac.exe.3960e54.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28289:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282b6:$x2: IClientNetworkHost
16.2.chmac.exe.3960e54.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28289:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29364:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x282a3:$s5: IClientLoggingHost
16.2.chmac.exe.3960e54.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.chmac.exe.2260000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.2260000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.chmac.exe.2260000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.2260000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.2260000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.2260000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.chmac.exe.2260000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.2260000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.2.chmac.exe.2500000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.2500000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.chmac.exe.2500000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.2500000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.2.chmac.exe.24b0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.24b0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.chmac.exe.24b0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.24b0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.0.chmac.exe.415058.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.415058.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
15.2.chmac.exe.2551458.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.chmac.exe.2551458.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
15.2.chmac.exe.2551458.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.chmac.exe.2551458.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.0.chmac.exe.415058.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.415058.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.chmac.exe.395c01e.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0bf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0ec:$x2: IClientNetworkHost
16.2.chmac.exe.395c01e.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0bf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e19a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0d9:$s5: IClientLoggingHost
16.2.chmac.exe.395c01e.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.395c01e.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d075:$a: NanoCore 0x2d08a:$a: NanoCore 0x2d0bf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce31:$b: ClientPlugin 0x2ce4c:$b: ClientPlugin
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.37b0e54.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28289:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282b6:$x2: IClientNetworkHost
14.2.chmac.exe.37b0e54.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28289:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29364:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x282a3:$s5: IClientLoggingHost
14.2.chmac.exe.37b0e54.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.3733258.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.3733258.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.chmac.exe.3733258.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.3733258.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.415058.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.415058.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.chmac.exe.415058.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.415058.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
16.2.chmac.exe.415058.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.415058.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.chmac.exe.415058.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.415058.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.chmac.exe.396547d.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c60:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c8d:$x2: IClientNetworkHost
16.2.chmac.exe.396547d.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c60:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d3b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c7a:$s5: IClientLoggingHost
16.2.chmac.exe.396547d.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.38e3258.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.38e3258.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.chmac.exe.38e3258.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.38e3258.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.1.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.1.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.chmac.exe.400000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.400000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
14.2.chmac.exe.400000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.400000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.chmac.exe.415058.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.415058.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.2.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.2.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
15.2.chmac.exe.2540000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.chmac.exe.2540000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
15.2.chmac.exe.2540000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.chmac.exe.2540000.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
Click to see the 341 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1f8684ca-0835-4252-89d1-4a2b1be1", "Group": "boy of john", "Domain1": "boyhome5100.duckdns.org", "Domain2": "boyhome5100.duckdns.org", "Port": 5100, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Antivirus detection for URL or domain

Show sources

Source: boyhome5100.duckdns.org

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe

ReversingLabs: Detection: 42%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR

Source: 16.0.chmac.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.chmac.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.chmac.exe.4830000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30f0000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.1.chmac.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.chmac.exe.2500000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.1.chmac.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.chmac.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.chmac.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.chmac.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.chmac.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 14.2.chmac.exe.4830000.9.unpack
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 16.2.chmac.exe.2500000.4.unpack

Source: G2M8C76V_INV0ICE_RECEIPT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: wntdll.pdbUGP source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293275271.0000000003380000.00000004.00000001.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293559055.0000000003510000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312413916.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312089409.0000000003050000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.334018187.0000000003130000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.332132170.00000000032C0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293275271.0000000003380000.00000004.00000001.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293559055.0000000003510000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312413916.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312089409.0000000003050000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.334018187.0000000003130000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.332132170.00000000032C0000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00402630 FindFirstFileA,
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00402630 FindFirstFileA,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00402630 FindFirstFileA,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00404A29 FindFirstFileExW,

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: boyhome5100.duckdns.org

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: boyhome5100.duckdns.org

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: Joe Sandbox View

IP Address: 194.5.98.28 194.5.98.28

Source: global traffic

TCP traffic: 192.168.2.3:49743 -> 194.5.98.28:5100

Source: chmac.exe, chmac.exe, 0000000F.00000000.324531335.0000000000409000.00000008.00020000.sdmp, chmac.exe, 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp, chmac.exe, 00000010.00000000.330014937.0000000000409000.00000008.00020000.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, chmac.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: G2M8C76V_INV0ICE_RECEIPT.exe, chmac.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: boyhome5100.duckdns.org

Source: chmac.exe, 0000000D.00000002.326522956.00000000007CA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: chmac.exe, 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 16.2.chmac.exe.2906888.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.2756888.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: G2M8C76V_INV0ICE_RECEIPT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 16.2.chmac.exe.2906888.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.2906888.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.2756888.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.2756888.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0040604C
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00404772
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0040604C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00404772
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_04882FA8
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_048823A0
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_04883850
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_0488238F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_0488306F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0040604C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00404772
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_02573850
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_025723A0
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_02572FA8
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_0257306F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_0040A2A5

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: String function: 00401ED0 appears 92 times
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: String function: 004056B5 appears 32 times
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: String function: 004029E8 appears 48 times
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: String function: 0040569E appears 72 times

Source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.285266172.0000000003496000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs G2M8C76V_INV0ICE_RECEIPT.exe
Source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.284604763.000000000362F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs G2M8C76V_INV0ICE_RECEIPT.exe

Source: G2M8C76V_INV0ICE_RECEIPT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chmac.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File read: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Jump to behavior

Source: G2M8C76V_INV0ICE_RECEIPT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process created: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process created: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File created: C:\Users\user\AppData\Roaming\dihsw

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File created: C:\Users\user\AppData\Local\Temp\nsyC82.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/12@19/2

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{1f8684ca-0835-4252-89d1-4a2b1be1a69a}

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 3_1_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: wntdll.pdbUGP source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293275271.0000000003380000.00000004.00000001.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293559055.0000000003510000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312413916.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312089409.0000000003050000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.334018187.0000000003130000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.332132170.00000000032C0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293275271.0000000003380000.00000004.00000001.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293559055.0000000003510000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312413916.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312089409.0000000003050000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.334018187.0000000003130000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.332132170.00000000032C0000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 14.2.chmac.exe.4830000.9.unpack
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 16.2.chmac.exe.2500000.4.unpack

.NET source code contains potential unpacker

Show sources

Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_738D1000 push eax; ret
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00401F16 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_72EE1000 push eax; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00401F16 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632881 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632570 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632DFD push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_006325C5 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632E75 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_006326E4 push eax; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_006326A8 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632E81 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632685 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00401F16 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00401F16 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A52881 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A52DFD push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A525D0 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A525DD push eax; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A52570 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A526A8 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A52E81 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A52E75 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00401F16 push ecx; ret

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	File created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	File created: C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	File created: C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll	Jump to dropped file

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl			Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File opened: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe TID: 5352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe TID: 5356	Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe TID: 4200	Thread sleep time: -280000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 6304	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 6568	Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 6808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 6764	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 2884	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 5904	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Window / User API: foregroundWindowGot 939

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

API coverage: 6.8 %

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00402630 FindFirstFileA,
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00402630 FindFirstFileA,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00402630 FindFirstFileA,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00404A29 FindFirstFileExW,

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 3_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 3_1_004067FE GetProcessHeap,

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0019DE9A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0019E19E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0019E0AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0019E1DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0019E15F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0019DE9A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0019E19E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0019E0AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0019E1DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0019E15F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0019E15F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0019DE9A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0019E19E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0019E0AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0019E1DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_004035F1 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Memory written: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Memory written: C:\Users\user\AppData\Roaming\dihsw\chmac.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Memory written: C:\Users\user\AppData\Roaming\dihsw\chmac.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process created: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 3_1_0040208D cpuid

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 3_1_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: G2M8C76V_INV0ICE_RECEIPT.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Registry Run Keys / Startup Folder1	Process Injection111	Disable or Modify Tools1	Input Capture21	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Deobfuscate/Decode Files or Information11	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	System Information Discovery15	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing21	NTDS	Security Software Discovery12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection111	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\dihsw\chmac.exe	42%	ReversingLabs	Win32.Backdoor.NanoBot

Unpacked PE Files

Source	Detection	Scanner	Label	Download
16.0.chmac.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.chmac.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.chmac.exe.4830000.9.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30f0000.6.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
16.0.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.1.chmac.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.2.chmac.exe.2500000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.1.chmac.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.chmac.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.2.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.chmac.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.chmac.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.chmac.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
boyhome5100.duckdns.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
boyhome5100.duckdns.org	2%	Virustotal		Browse
boyhome5100.duckdns.org	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
boyhome5100.duckdns.org	194.5.98.28	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
boyhome5100.duckdns.org	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	chmac.exe, chmac.exe, 0000000F.00000000.324531335.0000000000409000.00000008.00020000.sdmp, chmac.exe, 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp, chmac.exe, 00000010.00000000.330014937.0000000000409000.00000008.00020000.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, chmac.exe.0.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	G2M8C76V_INV0ICE_RECEIPT.exe, chmac.exe.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.28	boyhome5100.duckdns.org	Netherlands		208476	DANILENKODE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	552628
Start date:	13.01.2022
Start time:	15:31:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 14s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	G2M8C76V_INV0ICE_RECEIPT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/12@19/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 70.6% (good quality ratio 65.6%) Quality average: 78.3% Quality standard deviation: 30.4%
HCA Information:	Successful, ratio: 88% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:32:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl C:\Users\user\AppData\Roaming\dihsw\chmac.exe
15:32:22	API Interceptor	959x Sleep call for process: G2M8C76V_INV0ICE_RECEIPT.exe modified
15:32:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl C:\Users\user\AppData\Roaming\dihsw\chmac.exe
15:32:27	API Interceptor	2x Sleep call for process: chmac.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chmac.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\56mc2ilzkdt85ppfm Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	278527
Entropy (8bit):	7.984440804169609
Encrypted:	false
SSDEEP:	6144:ANMYeemSX268bMvy0lOGYLjTDNe4bKtB5u85S1wJLYoAlwYJuDNW:AqYeyX6Yq0lPYXNdb0Hw1wJLYoAlLgW
MD5:	E2674E39313EB905BEDB38EE4A90EB82
SHA1:	7EC20D0AD4E70C7621B7D0D836CA7C22029B8A9E
SHA-256:	91CBC859051888ECD50E3765A1A0AE9280DBD540A32A272D6D153F969CEA606D
SHA-512:	FA36A87ED16623BC62B76663F2DFAB3097DA69107CB091BD3BD4C677415F09E5CAF329F06FB566CF8A29CBDE7E50CCACDDFBE44BC125532BF0D9F6AF9D0BC52B
Malicious:	false
Reputation:	low
Preview:	...np.y6k.x..@.........M...v...,M.6.'..X..._...1v.,l.....8.Z6..H.2B.?.K..<.Lp.,h.].PYEG.t.BlU...Z.7.F....%.#..z..Z.3............`P...?.R)......0.....$\|.tW`../.ugo..<.c]}D.nT)...0&.i..............v. {...g...S.X2;v....r`.7...P-.3Rq8.......S..?. ..p.y...x.vc.........\|.M.}..o,..,M.6.'L.X..._[..1v.,l.\.. .VZ.{\|....t...B.?.H.....M.&M_F..I^Q.{..#....k.r0...G!...Ba.3......6.D=...B.lX...8.Ob.A...q=....Cw....Z...."fR"..l..V...@....;qe.P2..`...B.!..s..L..Q?`..R...Ki.SH..=D$..r....2a}M...X......S..v...p.yg,.x?.@........\|.M...v...,..6....;.._t..1vs,l.... I.Z..{\|.o..P....?Fa9wj.M....F...^QI{...a...X.r....GG..TBD...k(...P.D=...bR.X..L8........q=..<.C...P.]...CA?R"U.l..d.......;qe.P2..b..dB.!..s.......?`..R...Ki.SB....$..r....2a}M...X......S..?. ..p.y.k.x?2@........\|.M...v...,M.6.'..X..._...1v.,l.... ..Z..{\|.o..P...B.?...U...M.&..F.zI^Q.{..#....X.r....GG..TBa.3......6.D=...bb.X...8........q=....Cw....Z...."fR"..l.j...@....*;qe.P2..`...B.!..s.......?`..R...Ki.SB....$.

C:\Users\user\AppData\Local\Temp\nfjvhlc Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	7448
Entropy (8bit):	6.084978183064926
Encrypted:	false
SSDEEP:	192:efAApVIRgy4M0Ag13vj/O7s7Pb/T8MEAGLVrW1nU8sj:kqb0bF/NPbAMKLVrMnUv
MD5:	812162B475D941A12A193D8C085597E6
SHA1:	9B4B7CD34860F8FA19B0B5154DBB7F69CFC99489
SHA-256:	C89928AC7C6B93AB283B1197CA645AF22DC77FBFA5E066EDEEAE3402A952ED47
SHA-512:	BFAB4487C5434108FC063A6FCE997543B720F179674C32366910A25DB366FC41179A5492719288C2ABBB2677C510FFD41EDE53B98ED2F44155B8DA50FBE33722
Malicious:	false
Reputation:	low
Preview:	;,....i...........T....4.T....<....]................g...<......,..8......g...<<.....$..0......g...<1.....\..(......g...<V.....T..`... .....T!!..k..4..@i..< .[..<...i.<i..g S.2....i.<!..g b.........@...<..... ..)....,...$...\...T...4...<......i..............,.i.......!..<....].. ..... ..)i....i.....i?.b...i....T.....i..i.....i..i.i..i.S...i.S ...i..i..i....i..i..i?.b.....^.<."..<."..b.....5.<."..<."..b....y.<."..<."..b...i.....T....<]......g.,.........i..^..i.....i......@<.....T..i..k....[....,...8g.<k...S3....,...8."....T.g..,....5.<#....<&........g.<....<...................]......i..i?.b ..i.....T....<]......g.T.........i..^..i.....i......@<. ...T.j...i..k....[....T...`i..k...S3....T...`i..k...#3...T...`i...[....2!...T...`g.<k...S3"...T...`......T.g..T....^.<>....<A............i.<i....................<...................]......i..i?.b...i....]......g.@.........i..^..i.....i......@<.!...T..i..k....[....@...<i..k...S3....@...<."....T.g..@...y.<.....<...........

C:\Users\user\AppData\Local\Temp\nsiCC1.tmp Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	317856
Entropy (8bit):	7.76643048605343
Encrypted:	false
SSDEEP:	6144:2jCLNMYeemSX268bMvy0lOGYLjTDNe4bKtB5u85S1wJLYoAlwYJuDN:2eqYeyX6Yq0lPYXNdb0Hw1wJLYoAlLg
MD5:	C2D44B063B4B0AABF482FFB2E1074145
SHA1:	F5EFA683BD7E7FCDF848C26F8E8A81D9DDA9CFE6
SHA-256:	0994AF1254D390C551AD60759AF35F2267CB7324182C2087772D51D89DB9C004
SHA-512:	BB831F963B4213E5B23403141261BE8C8C68EBEFE087EE66B4C5783A343FE93DB8A081CCC7AEF6998861371D51FFE4B9FFEB39A3AAC53FAC8C5C9D14F94FC795
Malicious:	false
Reputation:	low
Preview:	yj......,...................a....P.......i......aj..........................................................................................................................................................................................................................................J...................j........................................................................................................................................... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.7711135978980614
Encrypted:	false
SSDEEP:	24:e31GSNNN0teIAJdax/+YZVy0NVxagHCueecv8hueeYoNXs+f3SlLRQ0K7ABPnRug:CnaI9ro3ngnFbfGFN1RuqSR
MD5:	CA6B2E72403972AE585025A81040FC44
SHA1:	BDA160D06EE5611B6CFE53F048CC00526941A1D4
SHA-256:	E0932A5438FFEE964EF9DEB10C5C5F187B12B319894552BA062A36E93EABBBF8
SHA-512:	48283C382D8C95DC96E193EAE541F6E86FFA43D107D0F739F1FFEA779364EFC0562A094C167F65ADCFD97B37BA6A31F561E237E92601F908AD7AAC87FF56B2ED
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z-...C]..C]..C]Z.M]..C].}B\..C]..B]..C].nG\..C].nC\..C].n.]..C].nA\..C]Rich..C]........................PE..L....0.a...........!......................... ...............................P............@.......................... ..H.... .......0.......................@..<.................................................... ...............................text...B........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..<....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq5FC3.tmp Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	data
Category:	dropped
Size (bytes):	317856
Entropy (8bit):	7.76643048605343
Encrypted:	false
SSDEEP:	6144:2jCLNMYeemSX268bMvy0lOGYLjTDNe4bKtB5u85S1wJLYoAlwYJuDN:2eqYeyX6Yq0lPYXNdb0Hw1wJLYoAlLg
MD5:	C2D44B063B4B0AABF482FFB2E1074145
SHA1:	F5EFA683BD7E7FCDF848C26F8E8A81D9DDA9CFE6
SHA-256:	0994AF1254D390C551AD60759AF35F2267CB7324182C2087772D51D89DB9C004
SHA-512:	BB831F963B4213E5B23403141261BE8C8C68EBEFE087EE66B4C5783A343FE93DB8A081CCC7AEF6998861371D51FFE4B9FFEB39A3AAC53FAC8C5C9D14F94FC795
Malicious:	false
Reputation:	low
Preview:	yj......,...................a....P.......i......aj..........................................................................................................................................................................................................................................J...................j........................................................................................................................................... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.7711135978980614
Encrypted:	false
SSDEEP:	24:e31GSNNN0teIAJdax/+YZVy0NVxagHCueecv8hueeYoNXs+f3SlLRQ0K7ABPnRug:CnaI9ro3ngnFbfGFN1RuqSR
MD5:	CA6B2E72403972AE585025A81040FC44
SHA1:	BDA160D06EE5611B6CFE53F048CC00526941A1D4
SHA-256:	E0932A5438FFEE964EF9DEB10C5C5F187B12B319894552BA062A36E93EABBBF8
SHA-512:	48283C382D8C95DC96E193EAE541F6E86FFA43D107D0F739F1FFEA779364EFC0562A094C167F65ADCFD97B37BA6A31F561E237E92601F908AD7AAC87FF56B2ED
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z-...C]..C]..C]Z.M]..C].}B\..C]..B]..C].nG\..C].nC\..C].n.]..C].nA\..C]Rich..C]........................PE..L....0.a...........!......................... ...............................P............@.......................... ..H.... .......0.......................@..<.................................................... ...............................text...B........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..<....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsx3DC4.tmp Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	data
Category:	dropped
Size (bytes):	317856
Entropy (8bit):	7.76643048605343
Encrypted:	false
SSDEEP:	6144:2jCLNMYeemSX268bMvy0lOGYLjTDNe4bKtB5u85S1wJLYoAlwYJuDN:2eqYeyX6Yq0lPYXNdb0Hw1wJLYoAlLg
MD5:	C2D44B063B4B0AABF482FFB2E1074145
SHA1:	F5EFA683BD7E7FCDF848C26F8E8A81D9DDA9CFE6
SHA-256:	0994AF1254D390C551AD60759AF35F2267CB7324182C2087772D51D89DB9C004
SHA-512:	BB831F963B4213E5B23403141261BE8C8C68EBEFE087EE66B4C5783A343FE93DB8A081CCC7AEF6998861371D51FFE4B9FFEB39A3AAC53FAC8C5C9D14F94FC795
Malicious:	false
Reputation:	low
Preview:	yj......,...................a....P.......i......aj..........................................................................................................................................................................................................................................J...................j........................................................................................................................................... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.7711135978980614
Encrypted:	false
SSDEEP:	24:e31GSNNN0teIAJdax/+YZVy0NVxagHCueecv8hueeYoNXs+f3SlLRQ0K7ABPnRug:CnaI9ro3ngnFbfGFN1RuqSR
MD5:	CA6B2E72403972AE585025A81040FC44
SHA1:	BDA160D06EE5611B6CFE53F048CC00526941A1D4
SHA-256:	E0932A5438FFEE964EF9DEB10C5C5F187B12B319894552BA062A36E93EABBBF8
SHA-512:	48283C382D8C95DC96E193EAE541F6E86FFA43D107D0F739F1FFEA779364EFC0562A094C167F65ADCFD97B37BA6A31F561E237E92601F908AD7AAC87FF56B2ED
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z-...C]..C]..C]Z.M]..C].}B\..C]..B]..C].nG\..C].nC\..C].n.]..C].nA\..C]Rich..C]........................PE..L....0.a...........!......................... ...............................P............@.......................... ..H.... .......0.......................@..<.................................................... ...............................text...B........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..<....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	International EBCDIC text, with no line terminators, with overstriking
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:JX98:o
MD5:	96A85767F76F3E5FC753A622A56C5315
SHA1:	67832A8FDABC53BB4AF9DFEB37705D62A32559A5
SHA-256:	8AE24E6F0625954103BC1DE425F96A077410B995891E73E706600B3F3F7B23AC
SHA-512:	E3161717A96BE7C5DC13440E44DF7F4791C53496D20939026689BE160AA04EFF916C08E3F91363158FCC874AD527A18D046A68E3AD2F4FE8DEC9604A155F38EE
Malicious:	true
Preview:	..`....H

C:\Users\user\AppData\Roaming\dihsw\chmac.exe Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	663115
Entropy (8bit):	5.508570188450402
Encrypted:	false
SSDEEP:	6144:lwq9sUW6UzgZb6uxaKHEMiYKpgss9N2zy:6UZYgxc5NYKCr7
MD5:	D272E884F59FF9D7921619F88766709D
SHA1:	B9013DCFFC28E174C1CB7D81FD46B6463B4FF579
SHA-256:	94A00E5D13EEBC1A99DD48E2D9F9CB48935C424C6BD58AB9F6D78FF0CAA36506
SHA-512:	EB8A351EB547A359F246B6E82B4794AEF31E2A350043116965E636A7A69583621C1EE2A5381079A1815A7489BFADC2FC3962AE74CBDF523A4F6E6E7E2379D9C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.......p....@..........................p...............................................s.......................................................................................p...............................text...vY.......Z.................. ..`.rdata.......p.......^..............@..@.data................p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	5.508570188450402
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	G2M8C76V_INV0ICE_RECEIPT.exe
File size:	663115
MD5:	d272e884f59ff9d7921619f88766709d
SHA1:	b9013dcffc28e174c1cb7d81fd46b6463b4ff579
SHA256:	94a00e5d13eebc1a99dd48e2d9f9cb48935c424c6bd58ab9f6d78ff0caa36506
SHA512:	eb8a351eb547a359f246b6e82b4794aef31e2a350043116965e636a7a69583621c1ee2a5381079a1815a7489bfadc2fc3962ae74cbdf523a4f6e6e7e2379d9c2
SSDEEP:	6144:lwq9sUW6UzgZb6uxaKHEMiYKpgss9N2zy:6UZYgxc5NYKCr7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

File Icon


Icon Hash:	d8c8d0d0f0ccd4d0

Static PE Info

General
Entrypoint:	0x403225
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409128h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007F38E8C8C460h
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F450h
call dword ptr [00407158h]
push 004091B0h
push 004236A0h
call 00007F38E8C8C117h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007F38E8C8C105h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007F38E8C8992Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F38E8C8BBF8h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F38E8C89985h
cmp cl, 00000020h
jne 00007F38E8C89928h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F38E8C8991Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x5ac80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5976	0x5a00	False	0.668619791667	data	6.46680044621	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.444878472222	data	5.17796812871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55078125	data	4.68983486809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x5ac80	0x5ae00	False	0.0282652381362	data	2.14570825877	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c280	0x42028	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x6e2a8	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x7ead0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x82cf8	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x852a0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x86348	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x867b0	0x100	data	English	United States
RT_DIALOG	0x868b0	0x11c	data	English	United States
RT_DIALOG	0x869d0	0x60	data	English	United States
RT_GROUP_ICON	0x86a30	0x5a	data	English	United States
RT_MANIFEST	0x86a90	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/22-15:32:22.405814	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57875	8.8.8.8	192.168.2.3
01/13/22-15:32:35.830669	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	52806	8.8.8.8	192.168.2.3
01/13/22-15:32:48.402158	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60784	8.8.8.8	192.168.2.3
01/13/22-15:32:54.892461	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51143	8.8.8.8	192.168.2.3
01/13/22-15:33:01.332628	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56009	8.8.8.8	192.168.2.3
01/13/22-15:33:07.691280	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	55102	8.8.8.8	192.168.2.3
01/13/22-15:33:13.938372	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49559	8.8.8.8	192.168.2.3
01/13/22-15:33:27.058039	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60352	8.8.8.8	192.168.2.3
01/13/22-15:33:47.081904	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	64367	8.8.8.8	192.168.2.3
01/13/22-15:34:12.542040	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63456	8.8.8.8	192.168.2.3
01/13/22-15:34:18.907708	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58540	8.8.8.8	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 15:32:22.421966076 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:22.638089895 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:22.638262987 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:22.681634903 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:22.927839994 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:22.928119898 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.202478886 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.204865932 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.422007084 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.422168016 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.688400984 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.688625097 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.953144073 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.953242064 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.974941015 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.975009918 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.975030899 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.975071907 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.975084066 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.975142002 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.975311995 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.975361109 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.195730925 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.195770025 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.195786953 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.195801973 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.195871115 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.195933104 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.197261095 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.197288990 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.197380066 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.197438955 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.197463989 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.197529078 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412081003 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412120104 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412270069 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412296057 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412353992 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412378073 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412425995 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412484884 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412549973 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412600994 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412719011 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412767887 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412918091 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412942886 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412969112 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412988901 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.413502932 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.413558960 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.413671970 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.413722038 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.413892031 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.413948059 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.415338993 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.415370941 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.415414095 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.415436029 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.415725946 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.415752888 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.415776968 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.415795088 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.416074038 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.416125059 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.497258902 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.628937960 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.629045010 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.629529953 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.629594088 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.630927086 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.630968094 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631002903 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631011009 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631057024 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631068945 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631100893 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631103992 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631145000 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631146908 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631190062 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631191015 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631226063 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631232977 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631272078 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631275892 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631309986 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631315947 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631356955 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631359100 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631392956 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631400108 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631441116 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631443024 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631479979 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631480932 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631520033 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631522894 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631560087 CET	49743	5100	192.168.2.3	194.5.98.28

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 15:32:22.209491968 CET	57875	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:22.405813932 CET	53	57875	8.8.8.8	192.168.2.3
Jan 13, 2022 15:32:28.565608978 CET	54154	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:28.585058928 CET	53	54154	8.8.8.8	192.168.2.3
Jan 13, 2022 15:32:35.717637062 CET	52806	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:35.830668926 CET	53	52806	8.8.8.8	192.168.2.3
Jan 13, 2022 15:32:41.991347075 CET	64021	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:42.010797024 CET	53	64021	8.8.8.8	192.168.2.3
Jan 13, 2022 15:32:48.289732933 CET	60784	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:48.402158022 CET	53	60784	8.8.8.8	192.168.2.3
Jan 13, 2022 15:32:54.779721975 CET	51143	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:54.892461061 CET	53	51143	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:01.219548941 CET	56009	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:01.332628012 CET	53	56009	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:07.577388048 CET	55102	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:07.691279888 CET	53	55102	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:13.824532986 CET	49559	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:13.938371897 CET	53	49559	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:20.093357086 CET	57106	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:20.112741947 CET	53	57106	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:26.943756104 CET	60352	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:27.058038950 CET	53	60352	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:33.189743996 CET	60982	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:33.209614038 CET	53	60982	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:39.395334959 CET	58058	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:39.414510965 CET	53	58058	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:46.968370914 CET	64367	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:47.081903934 CET	53	64367	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:53.528749943 CET	51539	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:53.548517942 CET	53	51539	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:59.952053070 CET	55393	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:59.971908092 CET	53	55393	8.8.8.8	192.168.2.3
Jan 13, 2022 15:34:06.225054026 CET	50585	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:34:06.244513035 CET	53	50585	8.8.8.8	192.168.2.3
Jan 13, 2022 15:34:12.427901983 CET	63456	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:34:12.542040110 CET	53	63456	8.8.8.8	192.168.2.3
Jan 13, 2022 15:34:18.793152094 CET	58540	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:34:18.907707930 CET	53	58540	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2022 15:32:22.209491968 CET	192.168.2.3	8.8.8.8	0x4721	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:28.565608978 CET	192.168.2.3	8.8.8.8	0x8fea	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:35.717637062 CET	192.168.2.3	8.8.8.8	0xdeca	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:41.991347075 CET	192.168.2.3	8.8.8.8	0x4167	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:48.289732933 CET	192.168.2.3	8.8.8.8	0x4bf8	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:54.779721975 CET	192.168.2.3	8.8.8.8	0x7c96	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:01.219548941 CET	192.168.2.3	8.8.8.8	0x8b00	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:07.577388048 CET	192.168.2.3	8.8.8.8	0x7c76	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:13.824532986 CET	192.168.2.3	8.8.8.8	0x4c89	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:20.093357086 CET	192.168.2.3	8.8.8.8	0x847	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:26.943756104 CET	192.168.2.3	8.8.8.8	0x9ddc	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:33.189743996 CET	192.168.2.3	8.8.8.8	0x2b96	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:39.395334959 CET	192.168.2.3	8.8.8.8	0x5a8	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:46.968370914 CET	192.168.2.3	8.8.8.8	0xff75	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:53.528749943 CET	192.168.2.3	8.8.8.8	0x5d02	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:59.952053070 CET	192.168.2.3	8.8.8.8	0x491c	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:06.225054026 CET	192.168.2.3	8.8.8.8	0x779a	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:12.427901983 CET	192.168.2.3	8.8.8.8	0x2f7	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:18.793152094 CET	192.168.2.3	8.8.8.8	0x890f	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 13, 2022 15:32:22.405813932 CET	8.8.8.8	192.168.2.3	0x4721	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:28.585058928 CET	8.8.8.8	192.168.2.3	0x8fea	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:35.830668926 CET	8.8.8.8	192.168.2.3	0xdeca	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:42.010797024 CET	8.8.8.8	192.168.2.3	0x4167	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:48.402158022 CET	8.8.8.8	192.168.2.3	0x4bf8	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:54.892461061 CET	8.8.8.8	192.168.2.3	0x7c96	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:01.332628012 CET	8.8.8.8	192.168.2.3	0x8b00	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:07.691279888 CET	8.8.8.8	192.168.2.3	0x7c76	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:13.938371897 CET	8.8.8.8	192.168.2.3	0x4c89	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:20.112741947 CET	8.8.8.8	192.168.2.3	0x847	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:27.058038950 CET	8.8.8.8	192.168.2.3	0x9ddc	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:33.209614038 CET	8.8.8.8	192.168.2.3	0x2b96	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:39.414510965 CET	8.8.8.8	192.168.2.3	0x5a8	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:47.081903934 CET	8.8.8.8	192.168.2.3	0xff75	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:53.548517942 CET	8.8.8.8	192.168.2.3	0x5d02	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:59.971908092 CET	8.8.8.8	192.168.2.3	0x491c	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:06.244513035 CET	8.8.8.8	192.168.2.3	0x779a	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:12.542040110 CET	8.8.8.8	192.168.2.3	0x2f7	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:18.907707930 CET	8.8.8.8	192.168.2.3	0x890f	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964 Parent PID: 5748

General

Start time:	15:32:13
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092 Parent PID: 6964

General

Start time:	15:32:15
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: chmac.exe PID: 6288 Parent PID: 3352

General

Start time:	15:32:25
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 42%, ReversingLabs
Reputation:	low

Analysis Process: chmac.exe PID: 6556 Parent PID: 6288

General

Start time:	15:32:27
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: chmac.exe PID: 6760 Parent PID: 3352

General

Start time:	15:32:34
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: chmac.exe PID: 6820 Parent PID: 6760

General

Start time:	15:32:36
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report G2M8C76V_INV0ICE_RECEIPT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre