Play interactive tour

Edit tour

Windows Analysis Report 4Y85lSOUJ0.exe

Overview

General Information

Sample Name:	4Y85lSOUJ0.exe
Analysis ID:	553230
MD5:	4f439877b84b51b8caa48ae81e1d2363
SHA1:	defde1263c0ca2d604226cff86e4045a28650ab4
SHA256:	b05b740309562ab6160cc3eb8ed2f0dd839d53c6c71f67bf40aeeb3f580eeb0a
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore MercurialGrabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected MercurialGrabber

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the product ID of Windows

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Uses a known web browser user agent for HTTP communication

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

4Y85lSOUJ0.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\4Y85lSOUJ0.exe" MD5: 4F439877B84B51B8CAA48AE81E1D2363)

nano.exe (PID: 6968 cmdline: "C:\ProgramData\nano.exe" MD5: 94115D1343C7C81682FE2D48CB9F8B96)

output.exe (PID: 7124 cmdline: "C:\ProgramData\output.exe" MD5: BF3C8FF8097814C773B0E86495FD0013)

conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "e5633be0-23ed-438f-a28c-ab363fff", "Group": "Lol ve Valo", "Domain1": "alpay.germanywestcentral.cloudapp.azure.com", "Domain2": "", "Port": 6000, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 4985, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "fcff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "alpay.germanywestcentral.cloudapp.azure.com"}

Threatname: MercurialGrabber

{"Webhook Url": "https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
4Y85lSOUJ0.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1abfd:$x1: NanoCore.ClientPluginHost 0x1ac3a:$x2: IClientNetworkHost 0x1e76d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4Y85lSOUJ0.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a975:$x1: NanoCore Client.exe 0x1abfd:$x2: NanoCore.ClientPluginHost 0x1c236:$s1: PluginCommand 0x1c22a:$s2: FileCommand 0x1d0db:$s3: PipeExists 0x22e92:$s4: PipeCreated 0x1ac27:$s5: IClientLoggingHost
4Y85lSOUJ0.exe	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
4Y85lSOUJ0.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4Y85lSOUJ0.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a965:$a: NanoCore 0x1a975:$a: NanoCore 0x1aba9:$a: NanoCore 0x1abbd:$a: NanoCore 0x1abfd:$a: NanoCore 0x1a9c4:$b: ClientPlugin 0x1abc6:$b: ClientPlugin 0x1ac06:$b: ClientPlugin 0x1aaeb:$c: ProjectData 0x1b4f2:$d: DESCrypto 0x22ebe:$e: KeepAlive 0x20eac:$g: LogClientMessage 0x1d0a7:$i: get_Connected 0x1b828:$j: #=q 0x1b858:$j: #=q 0x1b874:$j: #=q 0x1b8a4:$j: #=q 0x1b8c0:$j: #=q 0x1b8dc:$j: #=q 0x1b90c:$j: #=q 0x1b928:$j: #=q
4Y85lSOUJ0.exe	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xf37:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x2163:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x2367:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x7e5c:$x1: ---------------- mercurial grabber ---------------- 0x80a4:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x82be:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\output.exe	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
C:\ProgramData\output.exe	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xacc:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x1cf8:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x1efc:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x79f1:$x1: ---------------- mercurial grabber ---------------- 0x7c39:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x7e53:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
C:\ProgramData\nano.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\ProgramData\nano.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\ProgramData\nano.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\ProgramData\nano.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a9fd:$x1: NanoCore.ClientPluginHost 0x1aa3a:$x2: IClientNetworkHost 0x1e56d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a765:$a: NanoCore 0x1a775:$a: NanoCore 0x1a9a9:$a: NanoCore 0x1a9bd:$a: NanoCore 0x1a9fd:$a: NanoCore 0x1a7c4:$b: ClientPlugin 0x1a9c6:$b: ClientPlugin 0x1aa06:$b: ClientPlugin 0x1a8eb:$c: ProjectData 0x1b2f2:$d: DESCrypto 0x22cbe:$e: KeepAlive 0x20cac:$g: LogClientMessage 0x1cea7:$i: get_Connected 0x1b628:$j: #=q 0x1b658:$j: #=q 0x1b674:$j: #=q 0x1b6a4:$j: #=q 0x1b6c0:$j: #=q 0x1b6dc:$j: #=q 0x1b70c:$j: #=q 0x1b728:$j: #=q
00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x103f5:$x1: NanoCore.ClientPluginHost 0x10432:$x2: IClientNetworkHost 0x13f65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1015d:$a: NanoCore 0x1016d:$a: NanoCore 0x103a1:$a: NanoCore 0x103b5:$a: NanoCore 0x103f5:$a: NanoCore 0x101bc:$b: ClientPlugin 0x103be:$b: ClientPlugin 0x103fe:$b: ClientPlugin 0x102e3:$c: ProjectData 0x10cea:$d: DESCrypto 0x186b6:$e: KeepAlive 0x166a4:$g: LogClientMessage 0x1289f:$i: get_Connected 0x11020:$j: #=q 0x11050:$j: #=q 0x1106c:$j: #=q 0x1109c:$j: #=q 0x110b8:$j: #=q 0x110d4:$j: #=q 0x11104:$j: #=q 0x11120:$j: #=q
00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000002.00000002.554989173.0000000005720000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf625:$a: NanoCore 0xf67e:$a: NanoCore 0xf6bb:$a: NanoCore 0xf734:$a: NanoCore 0x22ddf:$a: NanoCore 0x22df4:$a: NanoCore 0x22e29:$a: NanoCore 0x3b9c3:$a: NanoCore 0x3b9d8:$a: NanoCore 0x3ba0d:$a: NanoCore 0xf687:$b: ClientPlugin 0xf6c4:$b: ClientPlugin 0xffc2:$b: ClientPlugin 0xffcf:$b: ClientPlugin 0x22b9b:$b: ClientPlugin 0x22bb6:$b: ClientPlugin 0x22be6:$b: ClientPlugin 0x22dfd:$b: ClientPlugin 0x22e32:$b: ClientPlugin 0x3b77f:$b: ClientPlugin 0x3b79a:$b: ClientPlugin
00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a9fd:$x1: NanoCore.ClientPluginHost 0x1aa3a:$x2: IClientNetworkHost 0x1e56d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a765:$a: NanoCore 0x1a775:$a: NanoCore 0x1a9a9:$a: NanoCore 0x1a9bd:$a: NanoCore 0x1a9fd:$a: NanoCore 0x1a7c4:$b: ClientPlugin 0x1a9c6:$b: ClientPlugin 0x1aa06:$b: ClientPlugin 0x1a8eb:$c: ProjectData 0x1b2f2:$d: DESCrypto 0x22cbe:$e: KeepAlive 0x20cac:$g: LogClientMessage 0x1cea7:$i: get_Connected 0x1b628:$j: #=q 0x1b658:$j: #=q 0x1b674:$j: #=q 0x1b6a4:$j: #=q 0x1b6c0:$j: #=q 0x1b6dc:$j: #=q 0x1b70c:$j: #=q 0x1b728:$j: #=q
Process Memory Space: 4Y85lSOUJ0.exe PID: 6896	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6900:$x1: NanoCore.ClientPluginHost 0x2789a:$x1: NanoCore.ClientPluginHost 0x693d:$x2: IClientNetworkHost 0x278d7:$x2: IClientNetworkHost 0xa140:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x14fb9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2b3c8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3644e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 4Y85lSOUJ0.exe PID: 6896	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
Process Memory Space: 4Y85lSOUJ0.exe PID: 6896	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 4Y85lSOUJ0.exe PID: 6896	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6633:$a: NanoCore 0x6643:$a: NanoCore 0x66c1:$a: NanoCore 0x66d0:$a: NanoCore 0x68ac:$a: NanoCore 0x68c0:$a: NanoCore 0x6900:$a: NanoCore 0x11623:$a: NanoCore 0x11635:$a: NanoCore 0x11671:$a: NanoCore 0x27567:$a: NanoCore 0x27577:$a: NanoCore 0x27636:$a: NanoCore 0x27645:$a: NanoCore 0x27846:$a: NanoCore 0x2785a:$a: NanoCore 0x2789a:$a: NanoCore 0x32ab8:$a: NanoCore 0x32aca:$a: NanoCore 0x32b06:$a: NanoCore 0x666d:$b: ClientPlugin
Process Memory Space: nano.exe PID: 6968	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xcbf8:$x1: NanoCore.ClientPluginHost 0x5d21b:$x1: NanoCore.ClientPluginHost 0x646a4:$x1: NanoCore.ClientPluginHost 0xb8c04:$x1: NanoCore.ClientPluginHost 0xfe8f4:$x1: NanoCore.ClientPluginHost 0xcc35:$x2: IClientNetworkHost 0x5d235:$x2: IClientNetworkHost 0x646be:$x2: IClientNetworkHost 0xb8c31:$x2: IClientNetworkHost 0xfe90e:$x2: IClientNetworkHost 0x10726:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1b7ac:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11438f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11cb70:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: nano.exe PID: 6968	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: nano.exe PID: 6968	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc8c5:$a: NanoCore 0xc8d5:$a: NanoCore 0xc994:$a: NanoCore 0xc9a3:$a: NanoCore 0xcba4:$a: NanoCore 0xcbb8:$a: NanoCore 0xcbf8:$a: NanoCore 0x17e16:$a: NanoCore 0x17e28:$a: NanoCore 0x17e64:$a: NanoCore 0x458d4:$a: NanoCore 0x5d185:$a: NanoCore 0x5d1de:$a: NanoCore 0x5d21b:$a: NanoCore 0x5d294:$a: NanoCore 0x5db4d:$a: NanoCore 0x5dba0:$a: NanoCore 0x5dbd9:$a: NanoCore 0x5dc4c:$a: NanoCore 0x6460e:$a: NanoCore 0x64667:$a: NanoCore
Process Memory Space: output.exe PID: 7124	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.nano.exe.a80000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.nano.exe.a80000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.0.nano.exe.a80000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.nano.exe.a80000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.0.nano.exe.a80000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.nano.exe.a80000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.0.nano.exe.a80000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.nano.exe.a80000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.nano.exe.5720000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
2.2.nano.exe.5720000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
2.2.nano.exe.5c40000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
2.2.nano.exe.5c40000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
2.2.nano.exe.5c40000.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xacc:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x1cf8:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x1efc:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x79f1:$x1: ---------------- mercurial grabber ---------------- 0x7c39:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x7e53:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.nano.exe.5c40000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
2.2.nano.exe.5c40000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
2.2.nano.exe.5c40000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.nano.exe.42ee67c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28391:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x283be:$x2: IClientNetworkHost
2.2.nano.exe.42ee67c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28391:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2946c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x283ab:$s5: IClientLoggingHost
2.2.nano.exe.42ee67c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.4Y85lSOUJ0.exe.69226b.2.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0x5834:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x6a60:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x6c64:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0xc759:$x1: ---------------- mercurial grabber ---------------- 0xc9a1:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0xcbbb:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
0.2.4Y85lSOUJ0.exe.69226b.1.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
5.2.output.exe.300000.0.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
5.2.output.exe.300000.0.unpack	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xacc:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x1cf8:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x1efc:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x79f1:$x1: ---------------- mercurial grabber ---------------- 0x7c39:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x7e53:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.nano.exe.a80000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.nano.exe.a80000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.2.nano.exe.a80000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.nano.exe.a80000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.nano.exe.42f2ca5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23d68:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23d95:$x2: IClientNetworkHost
2.2.nano.exe.42f2ca5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23d68:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24e43:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23d82:$s5: IClientLoggingHost
2.2.nano.exe.42f2ca5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4Y85lSOUJ0.exe.2de9114.5.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a792:$x1: NanoCore.ClientPluginHost 0x1a7cf:$x2: IClientNetworkHost 0x1e302:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a50a:$x1: NanoCore Client.exe 0x1a792:$x2: NanoCore.ClientPluginHost 0x1bdcb:$s1: PluginCommand 0x1bdbf:$s2: FileCommand 0x1cc70:$s3: PipeExists 0x22a27:$s4: PipeCreated 0x1a7bc:$s5: IClientLoggingHost
0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a4fa:$a: NanoCore 0x1a50a:$a: NanoCore 0x1a73e:$a: NanoCore 0x1a752:$a: NanoCore 0x1a792:$a: NanoCore 0x1a559:$b: ClientPlugin 0x1a75b:$b: ClientPlugin 0x1a79b:$b: ClientPlugin 0x1a680:$c: ProjectData 0x1b087:$d: DESCrypto 0x22a53:$e: KeepAlive 0x20a41:$g: LogClientMessage 0x1cc3c:$i: get_Connected 0x1b3bd:$j: #=q 0x1b3ed:$j: #=q 0x1b409:$j: #=q 0x1b439:$j: #=q 0x1b455:$j: #=q 0x1b471:$j: #=q 0x1b4a1:$j: #=q 0x1b4bd:$j: #=q
0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xacc:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x1cf8:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x1efc:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x79f1:$x1: ---------------- mercurial grabber ---------------- 0x7c39:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x7e53:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
0.2.4Y85lSOUJ0.exe.3de4268.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4Y85lSOUJ0.exe.3de4268.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.4Y85lSOUJ0.exe.3de4268.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4Y85lSOUJ0.exe.3de4268.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
2.2.nano.exe.32b1744.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
2.2.nano.exe.32b1744.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.0.output.exe.300000.2.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
5.0.output.exe.300000.2.unpack	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xacc:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x1cf8:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x1efc:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x79f1:$x1: ---------------- mercurial grabber ---------------- 0x7c39:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x7e53:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
0.2.4Y85lSOUJ0.exe.69c870.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4Y85lSOUJ0.exe.69c870.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.4Y85lSOUJ0.exe.69c870.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4Y85lSOUJ0.exe.69c870.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.nano.exe.42e9846.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d1c7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d1f4:$x2: IClientNetworkHost
2.2.nano.exe.42e9846.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d1c7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e2a2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d1e1:$s5: IClientLoggingHost
2.2.nano.exe.42e9846.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.nano.exe.42e9846.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d17d:$a: NanoCore 0x2d192:$a: NanoCore 0x2d1c7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2cf39:$b: ClientPlugin 0x2cf54:$b: ClientPlugin
2.2.nano.exe.5c44629.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
2.2.nano.exe.5c44629.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
2.2.nano.exe.5c44629.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.nano.exe.42ee67c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
2.2.nano.exe.42ee67c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
2.2.nano.exe.42ee67c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.nano.exe.a80000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.nano.exe.a80000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.0.nano.exe.a80000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.nano.exe.a80000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.0.4Y85lSOUJ0.exe.690000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1abfd:$x1: NanoCore.ClientPluginHost 0x1ac3a:$x2: IClientNetworkHost 0x1e76d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.0.4Y85lSOUJ0.exe.690000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a975:$x1: NanoCore Client.exe 0x1abfd:$x2: NanoCore.ClientPluginHost 0x1c236:$s1: PluginCommand 0x1c22a:$s2: FileCommand 0x1d0db:$s3: PipeExists 0x22e92:$s4: PipeCreated 0x1ac27:$s5: IClientLoggingHost
0.0.4Y85lSOUJ0.exe.690000.0.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
0.0.4Y85lSOUJ0.exe.690000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.4Y85lSOUJ0.exe.690000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a965:$a: NanoCore 0x1a975:$a: NanoCore 0x1aba9:$a: NanoCore 0x1abbd:$a: NanoCore 0x1abfd:$a: NanoCore 0x1a9c4:$b: ClientPlugin 0x1abc6:$b: ClientPlugin 0x1ac06:$b: ClientPlugin 0x1aaeb:$c: ProjectData 0x1b4f2:$d: DESCrypto 0x22ebe:$e: KeepAlive 0x20eac:$g: LogClientMessage 0x1d0a7:$i: get_Connected 0x1b828:$j: #=q 0x1b858:$j: #=q 0x1b874:$j: #=q 0x1b8a4:$j: #=q 0x1b8c0:$j: #=q 0x1b8dc:$j: #=q 0x1b90c:$j: #=q 0x1b928:$j: #=q
0.0.4Y85lSOUJ0.exe.690000.0.unpack	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xf37:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x2163:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x2367:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x7e5c:$x1: ---------------- mercurial grabber ---------------- 0x80a4:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x82be:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
5.0.output.exe.300000.1.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
5.0.output.exe.300000.1.unpack	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xacc:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x1cf8:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x1efc:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x79f1:$x1: ---------------- mercurial grabber ---------------- 0x7c39:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x7e53:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
0.0.4Y85lSOUJ0.exe.69c870.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.0.4Y85lSOUJ0.exe.69c870.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.0.4Y85lSOUJ0.exe.69c870.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.4Y85lSOUJ0.exe.69c870.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.0.output.exe.300000.0.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
5.0.output.exe.300000.0.unpack	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xacc:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x1cf8:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x1efc:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x79f1:$x1: ---------------- mercurial grabber ---------------- 0x7c39:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x7e53:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
0.2.4Y85lSOUJ0.exe.690000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1abfd:$x1: NanoCore.ClientPluginHost 0x1ac3a:$x2: IClientNetworkHost 0x1e76d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4Y85lSOUJ0.exe.690000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a975:$x1: NanoCore Client.exe 0x1abfd:$x2: NanoCore.ClientPluginHost 0x1c236:$s1: PluginCommand 0x1c22a:$s2: FileCommand 0x1d0db:$s3: PipeExists 0x22e92:$s4: PipeCreated 0x1ac27:$s5: IClientLoggingHost
2.0.nano.exe.a80000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.nano.exe.a80000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.4Y85lSOUJ0.exe.690000.0.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
0.2.4Y85lSOUJ0.exe.690000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.nano.exe.a80000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4Y85lSOUJ0.exe.690000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a965:$a: NanoCore 0x1a975:$a: NanoCore 0x1aba9:$a: NanoCore 0x1abbd:$a: NanoCore 0x1abfd:$a: NanoCore 0x1a9c4:$b: ClientPlugin 0x1abc6:$b: ClientPlugin 0x1ac06:$b: ClientPlugin 0x1aaeb:$c: ProjectData 0x1b4f2:$d: DESCrypto 0x22ebe:$e: KeepAlive 0x20eac:$g: LogClientMessage 0x1d0a7:$i: get_Connected 0x1b828:$j: #=q 0x1b858:$j: #=q 0x1b874:$j: #=q 0x1b8a4:$j: #=q 0x1b8c0:$j: #=q 0x1b8dc:$j: #=q 0x1b90c:$j: #=q 0x1b928:$j: #=q
2.0.nano.exe.a80000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.4Y85lSOUJ0.exe.690000.0.unpack	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xf37:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x2163:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x2367:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x7e5c:$x1: ---------------- mercurial grabber ---------------- 0x80a4:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x82be:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a792:$x1: NanoCore.ClientPluginHost 0x1a7cf:$x2: IClientNetworkHost 0x1e302:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a50a:$x1: NanoCore Client.exe 0x1a792:$x2: NanoCore.ClientPluginHost 0x1bdcb:$s1: PluginCommand 0x1bdbf:$s2: FileCommand 0x1cc70:$s3: PipeExists 0x22a27:$s4: PipeCreated 0x1a7bc:$s5: IClientLoggingHost
0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack	JoeSecurity_MercurialGrabber	Yara detected MercurialGrabber	Joe Security
0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a4fa:$a: NanoCore 0x1a50a:$a: NanoCore 0x1a73e:$a: NanoCore 0x1a752:$a: NanoCore 0x1a792:$a: NanoCore 0x1a559:$b: ClientPlugin 0x1a75b:$b: ClientPlugin 0x1a79b:$b: ClientPlugin 0x1a680:$c: ProjectData 0x1b087:$d: DESCrypto 0x22a53:$e: KeepAlive 0x20a41:$g: LogClientMessage 0x1cc3c:$i: get_Connected 0x1b3bd:$j: #=q 0x1b3ed:$j: #=q 0x1b409:$j: #=q 0x1b439:$j: #=q 0x1b455:$j: #=q 0x1b471:$j: #=q 0x1b4a1:$j: #=q 0x1b4bd:$j: #=q
0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack	MAL_Luna_Stealer_Apr_2021_1	Detect Luna stealer (also Mercurial Grabber)	Arkbird_SOLG	0xacc:$s1: 73 3B 00 00 0A 0B 07 72 AB 0B 00 70 02 7B 06 00 00 04 28 0E 00 00 0A 6F 3C 00 00 0A 0C 08 6F 3D 00 00 0A 6F 3E 00 00 0A 6F 3F 00 00 0A 0D 09 6F 40 00 00 0A 0A 02 72 DD 0B 00 70 06 28 2E 00 00 ... 0x1cf8:$s2: 72 F6 17 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0A 02 72 08 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 7D 37 00 00 04 72 0E 18 00 70 02 7B 35 00 00 04 28 2E 00 00 06 0B 02 06 72 2A 18 00 70 07 ... 0x1efc:$s3: 72 DC 18 00 70 73 7C 00 00 0A 0A 06 6F 7D 00 00 0A 6F 7E 00 00 0A 0C 2B 75 08 6F 7F 00 00 0A 74 53 00 00 01 0B 07 72 24 19 00 70 6F 80 00 00 0A 2C 16 02 07 72 24 19 00 70 6F 80 00 00 0A 6F 1D ... 0x79f1:$x1: ---------------- mercurial grabber ---------------- 0x7c39:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F 0x7e53:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
Click to see the 104 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\ProgramData\nano.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\ProgramData\nano.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\ProgramData\nano.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\ProgramData\nano.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "e5633be0-23ed-438f-a28c-ab363fff", "Group": "Lol ve Valo", "Domain1": "alpay.germanywestcentral.cloudapp.azure.com", "Domain2": "", "Port": 6000, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 4985, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "fcff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "alpay.germanywestcentral.cloudapp.azure.com"}
Source: 5.2.output.exe.300000.0.unpack	Malware Configuration Extractor: MercurialGrabber {"Webhook Url": "https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7"}

Multi AV Scanner detection for submitted file

Show sources

Source: 4Y85lSOUJ0.exe	Virustotal: Detection: 73%			Perma Link
Source: 4Y85lSOUJ0.exe	ReversingLabs: Detection: 82%

Yara detected MercurialGrabber

Show sources

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de43ac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.2de9114.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.output.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287619799.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.301105822.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285297877.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285865715.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.285573349.0000000000302000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: output.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\output.exe, type: DROPPED

Antivirus / Scanner detection for submitted sample

Show sources

Source: 4Y85lSOUJ0.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\ProgramData\output.exe	Avira: detection malicious, Label: HEUR/AGEN.1137455
Source: C:\ProgramData\nano.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 85%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 96%
Source: C:\ProgramData\nano.exe	Metadefender: Detection: 85%	Perma Link
Source: C:\ProgramData\nano.exe	ReversingLabs: Detection: 96%
Source: C:\ProgramData\output.exe	Metadefender: Detection: 51%	Perma Link
Source: C:\ProgramData\output.exe	ReversingLabs: Detection: 85%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 4Y85lSOUJ0.exe, type: SAMPLE
Source: Yara match	File source: 2.0.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42f2ca5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69226b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69c870.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.3de4268.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42e9846.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.5c44629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nano.exe.42ee67c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.4Y85lSOUJ0.exe.69c870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.nano.exe.a80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4Y85lSOUJ0.exe.69226b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.280292541.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283905085.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283285603.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287642993.0000000003DE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283614922.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.555253844.0000000005C40000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.553881083.00000000042DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.282943204.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.549792626.0000000000A82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286708512.0000000000692000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Y85lSOUJ0.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nano.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\nano.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Machine Learning detection for sample

Show sources

Source: 4Y85lSOUJ0.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\output.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\nano.exe	Joe Sandbox ML: detected

Source: 2.2.nano.exe.5c40000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 0.2.4Y85lSOUJ0.exe.690000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.nano.exe.a80000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.nano.exe.a80000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.0.4Y85lSOUJ0.exe.690000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 4Y85lSOUJ0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Threatname: MercurialGrabber

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance: