Windows Analysis Report 4Y85lSOUJ0.exe

Overview

General Information

Sample Name: 4Y85lSOUJ0.exe
Analysis ID: 553230
MD5: 4f439877b84b51b8caa48ae81e1d2363
SHA1: defde1263c0ca2d604226cff86e4045a28650ab4
SHA256: b05b740309562ab6160cc3eb8ed2f0dd839d53c6c71f67bf40aeeb3f580eeb0a
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore MercurialGrabber
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected MercurialGrabber
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the product ID of Windows
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "e5633be0-23ed-438f-a28c-ab363fff", "Group": "Lol ve Valo", "Domain1": "alpay.germanywestcentral.cloudapp.azure.com", "Domain2": "", "Port": 6000, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 4985, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "fcff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "alpay.germanywestcentral.cloudapp.azure.com"}
Source: 5.2.output.exe.300000.0.unpack Malware Configuration Extractor: MercurialGrabber {"Webhook Url": "https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7"}
Multi AV Scanner detection for submitted file
Source: 4Y85lSOUJ0.exe Virustotal: Detection: 73% Perma Link
Source: 4Y85lSOUJ0.exe ReversingLabs: Detection: 82%
Yara detected MercurialGrabber
Source: Yara match File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\output.exe, type: DROPPED
Antivirus / Scanner detection for submitted sample
Source: 4Y85lSOUJ0.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\ProgramData\output.exe Avira: detection malicious, Label: HEUR/AGEN.1137455
Source: C:\ProgramData\nano.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Metadefender: Detection: 85% Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 96%
Source: C:\ProgramData\nano.exe Metadefender: Detection: 85% Perma Link
Source: C:\ProgramData\nano.exe ReversingLabs: Detection: 96%
Source: C:\ProgramData\output.exe Metadefender: Detection: 51% Perma Link
Source: C:\ProgramData\output.exe ReversingLabs: Detection: 85%
Yara detected Nanocore RAT
Source: Yara match File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Machine Learning detection for sample
Source: 4Y85lSOUJ0.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Source: C:\ProgramData\output.exe Joe Sandbox ML: detected
Source: C:\ProgramData\nano.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.nano.exe.5c40000.7.unpack Avira: Label: TR/NanoCore.fadte
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.nano.exe.a80000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: 4Y85lSOUJ0.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49748 version: TLS 1.0
Source: unknown HTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.3:49750 version: TLS 1.0
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 4Y85lSOUJ0.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: nano.exe, 00000002.00000002.552327927.0000000002DF5000.00000004.00000040.sdmp

Networking:

barindex
May check the online IP address of the machine
Source: C:\ProgramData\output.exe DNS query: name: ip-api.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: alpay.germanywestcentral.cloudapp.azure.com
Source: Malware configuration extractor URLs: https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
Source: global traffic HTTP traffic detected: GET //json/84.17.52.18 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49748 version: TLS 1.0
Source: unknown HTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.3:49750 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: multipart/form-data; boundary=----------3cde43b36e5043cd8b731216050e2461User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0Host: discord.comContent-Length: 662Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: multipart/form-data; boundary=----------69ea6f20e22e45fdbf9ff26e6e4a8634User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0Host: discord.comContent-Length: 106574Expect: 100-continue
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: output.exe, 00000005.00000002.303632459.000000001B473000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.
Source: output.exe, 00000005.00000002.303632459.000000001B473000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp String found in binary or memory: http://discord.com
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com
Source: 4Y85lSOUJ0.exe, output.exe.0.dr String found in binary or memory: http://ip-api.com//json/
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com//json/84.17.52.18
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.comx
Source: output.exe, 00000005.00000002.302561397.00000000025EB000.00000004.00000001.sdmp String found in binary or memory: http://ip4.seeip.org
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp, ConDrv.5.dr String found in binary or memory: https://cdn.discordapp.com/attachments/923954670580420641/931537240771944498/passwords.txt
Source: output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302561397.00000000025EB000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302895001.000000000268F000.00000004.00000001.sdmp, ConDrv.5.dr String found in binary or memory: https://cdn.discordapp.com/attachments/923954670580420641/931537246346162207/Capture.jpg
Source: 4Y85lSOUJ0.exe, output.exe.0.dr String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp String found in binary or memory: https://discord.com
Source: 4Y85lSOUJ0.exe, output.exe.0.dr String found in binary or memory: https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cp
Source: output.exe, 00000005.00000002.302937012.000000000269F000.00000004.00000001.sdmp, output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp String found in binary or memory: https://discord.com8
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp String found in binary or memory: https://discord.comx
Source: 4Y85lSOUJ0.exe, output.exe.0.dr String found in binary or memory: https://discordapp.com/api/v8/users/
Source: output.exe.0.dr String found in binary or memory: https://i.imgur.com/vgxBhmx.png
Source: output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp String found in binary or memory: https://i.imgur.com/vgxBhmx.pngultipart/form-data
Source: 4Y85lSOUJ0.exe, output.exe.0.dr String found in binary or memory: https://ip4.seeip.org
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp String found in binary or memory: https://ip4.seeip.org/
Source: output.exe, 00000005.00000002.302497941.00000000025CA000.00000004.00000001.sdmp String found in binary or memory: https://ip4.seeip.orgx
Source: output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp, ConDrv.5.dr String found in binary or memory: https://media.discordapp.net/attachments/923954670580420641/931537240771944498/passwords.txt
Source: output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302561397.00000000025EB000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302895001.000000000268F000.00000004.00000001.sdmp, ConDrv.5.dr String found in binary or memory: https://media.discordapp.net/attachments/923954670580420641/931537246346162207/Capture.jpg
Source: output.exe, 00000005.00000002.302937012.000000000269F000.00000004.00000001.sdmp, output.exe, 00000005.00000002.303048035.00000000026E6000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302650273.0000000002610000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302902345.0000000002693000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302970081.00000000026BB000.00000004.00000001.sdmp, output.exe, 00000005.00000002.302925247.000000000269B000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 4Y85lSOUJ0.exe, output.exe.0.dr String found in binary or memory: https://www.countryflags.io/
Source: output.exe, 00000005.00000002.302801569.000000000262A000.00000004.00000001.sdmp String found in binary or memory: https://www.countryflags.io/CH/flat/48.png
Source: unknown HTTP traffic detected: POST /api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7 HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: ip4.seeip.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET //json/84.17.52.18 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: nano.exe, 00000002.00000002.551067632.000000000122A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: nano.exe, 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected MercurialGrabber
Source: Yara match File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\output.exe, type: DROPPED
Yara detected Nanocore RAT
Source: Yara match File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4Y85lSOUJ0.exe, type: SAMPLE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4Y85lSOUJ0.exe, type: SAMPLE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4Y85lSOUJ0.exe, type: SAMPLE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.5720000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.32b1744.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\output.exe, type: DROPPED Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: C:\ProgramData\nano.exe, type: DROPPED Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\ProgramData\nano.exe, type: DROPPED Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Uses 32bit PE files
Source: 4Y85lSOUJ0.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 4Y85lSOUJ0.exe, type: SAMPLE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4Y85lSOUJ0.exe, type: SAMPLE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4Y85lSOUJ0.exe, type: SAMPLE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4Y85lSOUJ0.exe, type: SAMPLE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.5720000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5720000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.32b1744.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.32b1744.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\ProgramData\output.exe, type: DROPPED Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: C:\ProgramData\nano.exe, type: DROPPED Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\ProgramData\nano.exe, type: DROPPED Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\ProgramData\nano.exe, type: DROPPED Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\ProgramData\nano.exe Code function: 2_2_00A8524A 2_2_00A8524A
Source: C:\ProgramData\nano.exe Code function: 2_2_011E7ABE 2_2_011E7ABE
Source: C:\ProgramData\nano.exe Code function: 2_2_053B8918 2_2_053B8918
Source: C:\ProgramData\nano.exe Code function: 2_2_053BB1E8 2_2_053BB1E8
Source: C:\ProgramData\nano.exe Code function: 2_2_053B3850 2_2_053B3850
Source: C:\ProgramData\nano.exe Code function: 2_2_053B2FA8 2_2_053B2FA8
Source: C:\ProgramData\nano.exe Code function: 2_2_053B23A0 2_2_053B23A0
Source: C:\ProgramData\nano.exe Code function: 2_2_053B9518 2_2_053B9518
Source: C:\ProgramData\nano.exe Code function: 2_2_053B95DF 2_2_053B95DF
Source: C:\ProgramData\nano.exe Code function: 2_2_053B306F 2_2_053B306F
Source: C:\ProgramData\output.exe Code function: 5_2_00007FFC085B3551 5_2_00007FFC085B3551
Contains functionality to call native functions
Source: C:\ProgramData\nano.exe Code function: 2_2_054D18D2 NtQuerySystemInformation, 2_2_054D18D2
Source: C:\ProgramData\nano.exe Code function: 2_2_054D1897 NtQuerySystemInformation, 2_2_054D1897
Sample file is different than original file name gathered from version info
Source: 4Y85lSOUJ0.exe Binary or memory string: OriginalFilename vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameoutput.exe4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameValorant VP Generator.exe, vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamevampire.dll4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameoutput.exe4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287481820.0000000001140000.00000004.00020000.sdmp Binary or memory string: OriginalFilenamevampire.dll4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe Binary or memory string: OriginalFilenameoutput.exe4 vs 4Y85lSOUJ0.exe
Source: 4Y85lSOUJ0.exe Binary or memory string: OriginalFilenameValorant VP Generator.exe, vs 4Y85lSOUJ0.exe
PE file contains strange resources
Source: 4Y85lSOUJ0.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4Y85lSOUJ0.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nano.exe.0.dr Static PE information: Section: .rsrc ZLIB complexity 0.996271306818
Source: dhcpmon.exe.2.dr Static PE information: Section: .rsrc ZLIB complexity 0.996271306818
Source: 4Y85lSOUJ0.exe Virustotal: Detection: 73%
Source: 4Y85lSOUJ0.exe ReversingLabs: Detection: 82%
Source: 4Y85lSOUJ0.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4Y85lSOUJ0.exe "C:\Users\user\Desktop\4Y85lSOUJ0.exe"
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process created: C:\ProgramData\nano.exe "C:\ProgramData\nano.exe"
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process created: C:\ProgramData\output.exe "C:\ProgramData\output.exe"
Source: C:\ProgramData\output.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process created: C:\ProgramData\nano.exe "C:\ProgramData\nano.exe" Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process created: C:\ProgramData\output.exe "C:\ProgramData\output.exe" Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\ProgramData\nano.exe Code function: 2_2_054D1692 AdjustTokenPrivileges, 2_2_054D1692
Source: C:\ProgramData\nano.exe Code function: 2_2_054D165B AdjustTokenPrivileges, 2_2_054D165B
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\4Y85lSOUJ0.exe.log Jump to behavior
Source: C:\ProgramData\output.exe File created: C:\Users\user\AppData\Local\Temp\login.db Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/9@3/3
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\ProgramData\nano.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\ProgramData\nano.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\ProgramData\nano.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\ProgramData\output.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
Source: C:\ProgramData\nano.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\ProgramData\nano.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{e5633be0-23ed-438f-a28c-ab363fff6ac9}
Source: C:\ProgramData\nano.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: 4Y85lSOUJ0.exe String found in binary or memory: copy to : /\launcher_profiles.json5Minecraft Session Profiles-launcher_profiles.json'multipart/form-data
Source: 4Y85lSOUJ0.exe String found in binary or memory: #Minecraft SessionKUnable to find launcher_profiles.jsonE\.minecraft\launcher_accounts.json/\launcher_accounts.json-launcher_accounts.jsonKUnable to find launcher_accounts.json
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.2.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.2.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\ProgramData\output.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\ProgramData\output.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\ProgramData\output.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\ProgramData\nano.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 4Y85lSOUJ0.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 4Y85lSOUJ0.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: nano.exe, 00000002.00000002.552327927.0000000002DF5000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 4Y85lSOUJ0.exe, Program.cs .Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, Program.cs .Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, Program.cs .Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2D5C push ecx; retf 2_2_011D2D6E
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2D5C push ecx; retf 2_2_011D2D86
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2D5C push edi; retf 2_2_011D2DFE
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2E59 push edi; retf 2_2_011D2DF2
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2545 pushfd ; iretd 2_2_011D254E
Source: C:\ProgramData\nano.exe Code function: 2_2_011D3145 push eax; retf 2_2_011D314A
Source: C:\ProgramData\nano.exe Code function: 2_2_011D3379 pushfd ; iretd 2_2_011D338A
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2875 push edi; retf 2_2_011D2882
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2D80 push ecx; retf 2_2_011D2D86
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2EB8 pushfd ; iretd 2_2_011D2ED6
Source: C:\ProgramData\nano.exe Code function: 2_2_011D27D8 push eax; retf 2_2_011D27DA
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2FD0 push eax; retf 2_2_011D2FD6
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2FC9 push esp; iretd 2_2_011D2FCA
Source: C:\ProgramData\nano.exe Code function: 2_2_011D29C8 pushfd ; iretd 2_2_011D29C6
Source: C:\ProgramData\nano.exe Code function: 2_2_011D29C2 pushfd ; iretd 2_2_011D29C6
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2DEC push ecx; retf 2_2_011D2D86
Source: C:\ProgramData\nano.exe Code function: 2_2_011D2DEC push edi; retf 2_2_011D2DF2
Source: C:\ProgramData\nano.exe Code function: 2_2_011D32E8 push esi; iretd 2_2_011D32FA
Source: C:\ProgramData\nano.exe Code function: 2_2_011D28E1 push edi; retf 2_2_011D28E2
Source: C:\ProgramData\nano.exe Code function: 2_2_011E9D78 pushad ; retf 2_2_011E9D79
Source: C:\ProgramData\nano.exe Code function: 2_2_011E9D74 push eax; retf 2_2_011E9D75
Source: initial sample Static PE information: section name: .text entropy: 7.20683355294
Source: dhcpmon.exe.2.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: dhcpmon.exe.2.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.nano.exe.a80000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.0.nano.exe.a80000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.0.nano.exe.a80000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe File created: C:\ProgramData\nano.exe Jump to dropped file
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe File created: C:\ProgramData\output.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe File created: C:\ProgramData\nano.exe Jump to dropped file
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe File created: C:\ProgramData\output.exe Jump to dropped file
Source: C:\ProgramData\nano.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\ProgramData\nano.exe File opened: C:\ProgramData\nano.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\nano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\output.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe TID: 6916 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\nano.exe TID: 5884 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\nano.exe TID: 6292 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -99843s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -99733s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -99624s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -99515s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -99406s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -99279s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -99168s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -99060s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -98952s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -98843s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -98734s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -98623s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -98515s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -98406s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 6224 Thread sleep time: -99937s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 5512 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\ProgramData\output.exe TID: 2880 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\nano.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\ProgramData\nano.exe Window / User API: threadDelayed 890 Jump to behavior
Source: C:\ProgramData\nano.exe Window / User API: foregroundWindowGot 1016 Jump to behavior
Source: C:\ProgramData\nano.exe Window / User API: foregroundWindowGot 383 Jump to behavior
Source: C:\ProgramData\output.exe Window / User API: threadDelayed 976 Jump to behavior
Source: C:\ProgramData\output.exe Window / User API: threadDelayed 2661 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\ProgramData\output.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosInformation Jump to behavior
Source: C:\ProgramData\output.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0 Jump to behavior
Source: C:\ProgramData\output.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\ProgramData\nano.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\ProgramData\nano.exe Code function: 2_2_054D12DA GetSystemInfo, 2_2_054D12DA
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\nano.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 99843 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 99733 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 99624 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 99515 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 99406 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 99279 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 99168 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 99060 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 98952 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 98843 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 98734 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 98623 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 98515 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 98406 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 99937 Jump to behavior
Source: C:\ProgramData\output.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: output.exe.0.dr Binary or memory string: SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
Source: output.exe, 00000005.00000002.302347096.0000000002551000.00000004.00000001.sdmp Binary or memory string: ISYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
Source: output.exe, 00000005.00000002.302347096.0000000002551000.00000004.00000001.sdmp Binary or memory string: KSYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
Source: output.exe.0.dr Binary or memory string: vmware
Source: 4Y85lSOUJ0.exe, output.exe.0.dr Binary or memory string: virtualboxvboxqemu
Source: output.exe Binary or memory string: SOFTWARE\VMWare, Inc.\VMWare Tools
Source: nano.exe, 00000002.00000003.407019880.00000000012A5000.00000004.00000001.sdmp, nano.exe, 00000002.00000003.418108380.00000000012A6000.00000004.00000001.sdmp, nano.exe, 00000002.00000002.551166452.000000000125C000.00000004.00000020.sdmp, nano.exe, 00000002.00000003.363174186.00000000012BB000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: output.exe Binary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
Source: nano.exe, 00000002.00000003.407019880.00000000012A5000.00000004.00000001.sdmp, nano.exe, 00000002.00000003.418108380.00000000012A6000.00000004.00000001.sdmp, nano.exe, 00000002.00000002.551166452.000000000125C000.00000004.00000020.sdmp, nano.exe, 00000002.00000003.363174186.00000000012BB000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^#C
Source: output.exe, 00000005.00000002.302347096.0000000002551000.00000004.00000001.sdmp Binary or memory string: "SOFTWARE\VMWare, Inc.\VMWare Tools
Source: output.exe.0.dr Binary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdevkSYSTEM\CurrentControlSet\Control\VirtualDeviceDriversESOFTWARE\VMWare, Inc.\VMWare ToolsUSOFTWARE\Oracle\VirtualBox Guest Additions1HARDWARE\ACPI\DSDT\VBOX_SSYSTEM\ControlSet001\Services\Disk\Enum\0cHARDWARE\Description\System\SystemBiosInformationYHARDWARE\Description\System\VideoBiosVersion]HARDWARE\Description\System\SystemManufacturer[HARDWARE\Description\System\SystemProductName[HARDWARE\Description\System\Logical Unit Id 0
Source: output.exe, 00000005.00000002.301549791.00000000009A0000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSS

Anti Debugging:

barindex
Enables debug privileges
Source: C:\ProgramData\nano.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\output.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process created: C:\ProgramData\nano.exe "C:\ProgramData\nano.exe" Jump to behavior
Source: C:\Users\user\Desktop\4Y85lSOUJ0.exe Process created: C:\ProgramData\output.exe "C:\ProgramData\output.exe" Jump to behavior
Source: nano.exe, 00000002.00000002.552908452.000000000332B000.00000004.00000001.sdmp, nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp Binary or memory string: Progman
Source: nano.exe, 00000002.00000002.552041989.0000000001940000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\ProgramData\output.exe Queries volume information: C:\ProgramData\output.exe VolumeInformation Jump to behavior
Queries the product ID of Windows
Source: C:\ProgramData\output.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId Jump to behavior
Source: C:\ProgramData\nano.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\ProgramData\nano.exe Code function: 2_2_011DAF9A GetUserNameW, 2_2_011DAF9A

Stealing of Sensitive Information:

barindex
Yara detected MercurialGrabber
Source: Yara match File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\output.exe, type: DROPPED
Yara detected Nanocore RAT
Source: Yara match File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\output.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\Login Data Jump to behavior

Remote Access Functionality:

barindex
Yara detected MercurialGrabber
Source: Yara match File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\output.exe, type: DROPPED
Detected Nanocore Rat
Source: 4Y85lSOUJ0.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: 4Y85lSOUJ0.exe, 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: 4Y85lSOUJ0.exe, 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nano.exe, 00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextVa