Windows Analysis Report
OCBC_BAN.EXE

Overview

General Information

Sample Name: OCBC_BAN.EXE
Analysis ID: 623417
MD5: be7bb1d25f6fb1b424ab8b54dc3971d0
SHA1: 73e4dcb20a351f5d7332ac2383fce657f22906b2
SHA256: 353fb33f1ee908da348b403a829f36ad6f6bd0aa3022bc56f0542f9197266b20
Tags: AgentTeslaagentteslananocoreexe
Infos:

Detection

Nanocore, AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "49b4bf8f-6f20-4306-8d82-ae70effc", "Group": "Default", "Domain1": "23.105.131.196", "Domain2": "127.0.0.1", "Port": 9070, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@elparque.com.uy", "Password": "info919", "Host": "mail.elparque.com.uy"}
Source: OCBC_BAN.EXE ReversingLabs: Detection: 31%
Source: http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg9Mytlggh.Properties.ResourcesSCsupumbveaihwmgvdfi Avira URL Cloud: Label: malware
Source: http://bmn.lpmpbanten.id Avira URL Cloud: Label: malware
Source: http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg Avira URL Cloud: Label: malware
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Metadefender: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe ReversingLabs: Detection: 31%
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Joe Sandbox ML: detected
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack Avira: Label: TR/NanoCore.fadte
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: OCBC_BAN.EXE Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: OCBC_BAN.EXE Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

barindex
Source: Traffic Snort IDS: 2848901 ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...) 103.8.79.204:80 -> 192.168.2.6:49737
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49786 -> 200.40.119.50:587
Source: Malware configuration extractor URLs: 23.105.131.196
Source: Malware configuration extractor URLs: 127.0.0.1
Source: Joe Sandbox View ASN Name: AdministracionNacionaldeTelecomunicacionesUY AdministracionNacionaldeTelecomunicacionesUY
Source: global traffic HTTP traffic detected: GET /fint/Waxhxbwa_Ytgbplyy.jpg HTTP/1.1Host: bmn.lpmpbanten.idConnection: Keep-Alive
Source: Joe Sandbox View IP Address: 103.8.79.204 103.8.79.204
Source: global traffic TCP traffic: 192.168.2.6:49786 -> 200.40.119.50:587
Source: global traffic TCP traffic: 192.168.2.6:49795 -> 23.105.131.196:9070
Source: global traffic TCP traffic: 192.168.2.6:49786 -> 200.40.119.50:587
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://WmuGtz.com
Source: OCBC_BAN.EXE, 00000000.00000002.535616448.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bmn.lpmpbanten.id
Source: OCBC_BAN.EXE String found in binary or memory: http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg
Source: OCBC_BAN.EXE, windscribe.exe.0.dr String found in binary or memory: http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg9Mytlggh.Properties.ResourcesSCsupumbveaihwmgvdfi
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634961619.000000000349E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.elparque.com.uy
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634961619.000000000349E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mx.mf.netgate.com.uy
Source: OCBC_BAN.EXE, 00000000.00000002.535616448.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: OCBC_BAN.EXE, 00000000.00000002.535692685.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: OCBC_BAN.EXE, 00000000.00000002.535692685.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: OCBC_BAN.EXE, 00000000.00000002.535692685.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: bmn.lpmpbanten.id
Source: global traffic HTTP traffic detected: GET /fint/Waxhxbwa_Ytgbplyy.jpg HTTP/1.1Host: bmn.lpmpbanten.idConnection: Keep-Alive
Source: OCBC_BAN.EXE, 00000000.00000002.533747340.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

barindex
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR

System Summary

barindex
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.OCBC_BAN.EXE.a7b3e38.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.5300000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.5300000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.OCBC_BAN.EXE.a803e58.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.OCBC_BAN.EXE.985c050.2.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.OCBC_BAN.EXE.985c050.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, type: DROPPED Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Pubrtkzyqpdcef1.exe.0.dr, u003cPrivateImplementationDetailsu003eu007b709DF250u002dC716u002d4F4Eu002dB078u002dD4183B01CCB2u007d/u0039DE03333u002d9F21u002d4AC9u002d9E4Eu002dA76868BFFFA5.cs Large array initialization: .cctor: array initializer size 11638
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, u003cPrivateImplementationDetailsu003eu007b709DF250u002dC716u002d4F4Eu002dB078u002dD4183B01CCB2u007d/u0039DE03333u002d9F21u002d4AC9u002d9E4Eu002dA76868BFFFA5.cs Large array initialization: .cctor: array initializer size 11638
Source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, u003cPrivateImplementationDetailsu003eu007b709DF250u002dC716u002d4F4Eu002dB078u002dD4183B01CCB2u007d/u0039DE03333u002d9F21u002d4AC9u002d9E4Eu002dA76868BFFFA5.cs Large array initialization: .cctor: array initializer size 11638
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack, u003cPrivateImplementationDetailsu003eu007b709DF250u002dC716u002d4F4Eu002dB078u002dD4183B01CCB2u007d/u0039DE03333u002d9F21u002d4AC9u002d9E4Eu002dA76868BFFFA5.cs Large array initialization: .cctor: array initializer size 11638
Source: OCBC_BAN.EXE Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.OCBC_BAN.EXE.a7b3e38.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.5300000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.5300000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.5300000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.OCBC_BAN.EXE.a803e58.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.OCBC_BAN.EXE.985c050.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.OCBC_BAN.EXE.985c050.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, type: DROPPED Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Code function: 0_2_00F41058 0_2_00F41058
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Code function: 0_2_00F44BE9 0_2_00F44BE9
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Code function: 0_2_00F410D0 0_2_00F410D0
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Code function: 0_2_00F4B410 0_2_00F4B410
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Code function: 0_2_00F40D40 0_2_00F40D40
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Code function: 0_2_00F40D30 0_2_00F40D30
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_00E3A318 9_2_00E3A318
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_0303F3C8 9_2_0303F3C8
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_0303F080 9_2_0303F080
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_0693B788 9_2_0693B788
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_06935730 9_2_06935730
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_069384E0 9_2_069384E0
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_06930040 9_2_06930040
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_0693847C 9_2_0693847C
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_06931200 9_2_06931200
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_06931150 9_2_06931150
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_06959BA8 9_2_06959BA8
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_06957B60 9_2_06957B60
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_069561C8 9_2_069561C8
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_06954168 9_2_06954168
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Code function: 12_2_0299E480 12_2_0299E480
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Code function: 12_2_0299E471 12_2_0299E471
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Code function: 12_2_0299BBD4 12_2_0299BBD4
Source: OCBC_BAN.EXE Binary or memory string: OriginalFilename vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 00000000.00000000.366564071.0000000000822000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWaxhxbwa.exe6 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 00000000.00000003.497174960.000000000A803000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLoEHkIIHEsPPZAAaPoftCEdkhMNJM.exe4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 00000000.00000003.497125933.000000000A7AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLoEHkIIHEsPPZAAaPoftCEdkhMNJM.exe4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLoEHkIIHEsPPZAAaPoftCEdkhMNJM.exe4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 00000000.00000003.521290536.0000000009309000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCsupumbveaihwmgvdfi.dll" vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE Binary or memory string: OriginalFilename vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000000.529126357.0000000000632000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWaxhxbwa.exe6 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.637423613.0000000005B90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.634309710.0000000002A78000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE Binary or memory string: OriginalFilenameWaxhxbwa.exe6 vs OCBC_BAN.EXE
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe 01E3C7651589A572C90A38AA1476BF4A50CCD35383FE3114BE11068D5C2A9E39
Source: OCBC_BAN.EXE ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File read: C:\Users\user\Desktop\OCBC_BAN.EXE Jump to behavior
Source: OCBC_BAN.EXE Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\OCBC_BAN.EXE "C:\Users\user\Desktop\OCBC_BAN.EXE"
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 10
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process created: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe "C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe"
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process created: C:\Users\user\Desktop\OCBC_BAN.EXE C:\Users\user\Desktop\OCBC_BAN.EXE
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10 Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process created: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe "C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe" Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process created: C:\Users\user\Desktop\OCBC_BAN.EXE C:\Users\user\Desktop\OCBC_BAN.EXE Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 10 Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File created: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/5@3/3
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Mutant created: \Sessions\1\BaseNamedObjects\Global\{49b4bf8f-6f20-4306-8d82-ae70effc40f1}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01
Source: Pubrtkzyqpdcef1.exe.0.dr, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: Pubrtkzyqpdcef1.exe.0.dr, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: OCBC_BAN.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: OCBC_BAN.EXE Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

barindex
Source: OCBC_BAN.EXE, dyrax.cs .Net Code: okxqd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: windscribe.exe.0.dr, dyrax.cs .Net Code: okxqd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.OCBC_BAN.EXE.820000.0.unpack, dyrax.cs .Net Code: okxqd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.OCBC_BAN.EXE.820000.0.unpack, dyrax.cs .Net Code: okxqd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Code function: 0_2_00F4CFC7 push 8B02AC5Ch; retf 0_2_00F4CFCC
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_0693DD62 push 83623700h; ret 9_2_0693DD69
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_0693E36C push esp; iretd 9_2_0693E37B
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_0695EEA1 push es; retf 9_2_0695EF04
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe Jump to dropped file
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File created: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe\:Zone.Identifier:$DATA Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\Desktop\OCBC_BAN.EXE File opened: C:\Users\user\Desktop\OCBC_BAN.EXE:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\OCBC_BAN.EXE TID: 6436 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE TID: 5300 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5040 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe TID: 6868 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe TID: 6868 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe TID: 6860 Thread sleep count: 4710 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe TID: 1800 Thread sleep count: 3967 > 30 Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE TID: 6296 Thread sleep time: -23980767295822402s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Window / User API: threadDelayed 4710 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Window / User API: threadDelayed 3967 Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Window / User API: threadDelayed 3726 Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Window / User API: threadDelayed 5720 Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Window / User API: foregroundWindowGot 371 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.633430133.0000000001506000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: OCBC_BAN.EXE, 0000000C.00000002.633203616.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: OCBC_BAN.EXE, 00000000.00000002.533832064.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Code function: 9_2_06935730 LdrInitializeThunk, 9_2_06935730
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Memory written: C:\Users\user\Desktop\OCBC_BAN.EXE base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10 Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process created: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe "C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe" Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Process created: C:\Users\user\Desktop\OCBC_BAN.EXE C:\Users\user\Desktop\OCBC_BAN.EXE Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 10 Jump to behavior
Source: OCBC_BAN.EXE, 0000000C.00000002.637688473.00000000061DE000.00000004.00000010.00020000.00000000.sdmp, OCBC_BAN.EXE, 0000000C.00000002.637734244.000000000655E000.00000004.00000010.00020000.00000000.sdmp, OCBC_BAN.EXE, 0000000C.00000002.634401808.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: OCBC_BAN.EXE, 0000000C.00000002.634375880.0000000002AEC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 0000000C.00000002.634556764.0000000002C25000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 0000000C.00000002.635333321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager|$
Source: OCBC_BAN.EXE, 0000000C.00000002.634401808.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerx
Source: OCBC_BAN.EXE, 0000000C.00000002.635333321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerHa|l
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Queries volume information: C:\Users\user\Desktop\OCBC_BAN.EXE VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Queries volume information: C:\Users\user\Desktop\OCBC_BAN.EXE VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OCBC_BAN.EXE.a7b3e38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OCBC_BAN.EXE.a803e58.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.465813754.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.497174960.000000000A803000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.497125933.000000000A7AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.466270917.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.632461806.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.462652730.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.465157783.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, type: DROPPED
Source: Yara match File source: 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Pubrtkzyqpdcef1.exe PID: 5604, type: MEMORYSTR
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: Yara match File source: 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pubrtkzyqpdcef1.exe PID: 5604, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OCBC_BAN.EXE.a7b3e38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OCBC_BAN.EXE.a803e58.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.465813754.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.497174960.000000000A803000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.497125933.000000000A7AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.466270917.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.632461806.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.462652730.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.465157783.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, type: DROPPED
Source: Yara match File source: 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Pubrtkzyqpdcef1.exe PID: 5604, type: MEMORYSTR
Source: OCBC_BAN.EXE, 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: OCBC_BAN.EXE, 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs