Edit tour

Windows Analysis Report
Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe

Overview

General Information

Sample Name:	Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Analysis ID:	625814
MD5:	717fc8318eb370b1e8ae630af9fe431d
SHA1:	842ee97ed218857603188de6831afcc9919addd6
SHA256:	6035a6b2488b6c073d4b1cda9c9879e207b73e94c3551624667e59cc8719dd01
Tags:	exeNanoCore
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus detection for URL or domain

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Creates processes with suspicious names

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe (PID: 6316 cmdline: "C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe" MD5: 717FC8318EB370B1E8AE630AF9FE431D)

Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe (PID: 6632 cmdline: C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe MD5: 717FC8318EB370B1E8AE630AF9FE431D)

Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe (PID: 6648 cmdline: C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe MD5: 717FC8318EB370B1E8AE630AF9FE431D)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.283132677.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.283132677.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.283132677.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000000.282158079.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.282158079.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.282158079.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.287715667.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.282584225.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.282584225.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.282584225.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000000.283785839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.283785839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.283785839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.287825585.0000000002F03000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.289011583.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe904d:$x1: NanoCore.ClientPluginHost 0x11b86d:$x1: NanoCore.ClientPluginHost 0x1be06d:$x1: NanoCore.ClientPluginHost 0xe908a:$x2: IClientNetworkHost 0x11b8aa:$x2: IClientNetworkHost 0x1be0aa:$x2: IClientNetworkHost 0xecbbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11f3dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1c1bdd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.289011583.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.289011583.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe8db5:$a: NanoCore 0xe8dc5:$a: NanoCore 0xe8ff9:$a: NanoCore 0xe900d:$a: NanoCore 0xe904d:$a: NanoCore 0x11b5d5:$a: NanoCore 0x11b5e5:$a: NanoCore 0x11b819:$a: NanoCore 0x11b82d:$a: NanoCore 0x11b86d:$a: NanoCore 0x1bddd5:$a: NanoCore 0x1bdde5:$a: NanoCore 0x1be019:$a: NanoCore 0x1be02d:$a: NanoCore 0x1be06d:$a: NanoCore 0xe8e14:$b: ClientPlugin 0xe9016:$b: ClientPlugin 0xe9056:$b: ClientPlugin 0x11b634:$b: ClientPlugin 0x11b836:$b: ClientPlugin 0x11b876:$b: ClientPlugin
Process Memory Space: Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe PID: 6316	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd6e89:$x1: NanoCore.ClientPluginHost 0xd6ec6:$x2: IClientNetworkHost 0xda9ae:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe5a2c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf0ec4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10c35e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe PID: 6316	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe PID: 6316	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe PID: 6316	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd6b56:$a: NanoCore 0xd6b66:$a: NanoCore 0xd6c25:$a: NanoCore 0xd6c34:$a: NanoCore 0xd6e35:$a: NanoCore 0xd6e49:$a: NanoCore 0xd6e89:$a: NanoCore 0xe2096:$a: NanoCore 0xe20a8:$a: NanoCore 0xe20e4:$a: NanoCore 0xed52e:$a: NanoCore 0xed540:$a: NanoCore 0xed57c:$a: NanoCore 0x1089c8:$a: NanoCore 0x1089da:$a: NanoCore 0x108a16:$a: NanoCore 0xd6bb5:$b: ClientPlugin 0xd6c7e:$b: ClientPlugin 0xd6e52:$b: ClientPlugin 0xd6e92:$b: ClientPlugin 0xe20b1:$b: ClientPlugin
Process Memory Space: Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe PID: 6648	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13ae9:$x1: NanoCore.ClientPluginHost 0x13b26:$x2: IClientNetworkHost 0x17617:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2269d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe PID: 6648	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe PID: 6648	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x137b6:$a: NanoCore 0x137c6:$a: NanoCore 0x13885:$a: NanoCore 0x13894:$a: NanoCore 0x13a95:$a: NanoCore 0x13aa9:$a: NanoCore 0x13ae9:$a: NanoCore 0x1ed07:$a: NanoCore 0x1ed19:$a: NanoCore 0x1ed55:$a: NanoCore 0x13815:$b: ClientPlugin 0x138de:$b: ClientPlugin 0x13ab2:$b: ClientPlugin 0x13af2:$b: ClientPlugin 0x1ed22:$b: ClientPlugin 0x1ed5e:$b: ClientPlugin 0x69f9c:$b: ClientPlugin 0x69fb3:$b: ClientPlugin 0x139d7:$c: ProjectData 0x1ec54:$c: ProjectData 0x143ab:$d: DESCrypto
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.40a4ec0.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.40a4ec0.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.40a4ec0.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.40a4ec0.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.40a4ec0.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.40f52c0.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x94dad:$x1: NanoCore.ClientPluginHost 0x94dea:$x2: IClientNetworkHost 0x9891d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.40f52c0.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.40f52c0.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x47d9f:$s1: file:/// 0x47caf:$s2: {11111-22222-10009-11112} 0x47d2f:$s3: {11111-22222-50001-00000} 0x45731:$s4: get_Module 0x45ba0:$s5: Reverse 0x47882:$s6: BlockCopy 0x9fb8f:$s6: BlockCopy 0x9fb86:$s7: ReadByte 0x47db1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.40f52c0.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x94b15:$x1: NanoCore Client 0x94b25:$x1: NanoCore Client 0x94d6d:$x2: NanoCore.ClientPlugin 0x94dad:$x3: NanoCore.ClientPluginHost 0x94d62:$i1: IClientApp 0x94d83:$i2: IClientData 0x94d8f:$i3: IClientNetwork 0x94d9e:$i4: IClientAppHost 0x94dc7:$i5: IClientDataHost 0x94dd7:$i6: IClientLoggingHost 0x94dea:$i7: IClientNetworkHost 0x94dfd:$i8: IClientUIHost 0x94e0b:$i9: IClientNameObjectCollection 0x94e27:$i10: IClientReadOnlyNameObjectCollection 0x94b74:$s1: ClientPlugin 0x94d76:$s1: ClientPlugin 0x9526a:$s2: EndPoint 0x95273:$s3: IPAddress 0x9527d:$s4: IPEndPoint 0x96cb3:$s6: get_ClientSettings 0x97257:$s7: get_Connected
0.2.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.40f52c0.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x94b15:$a: NanoCore 0x94b25:$a: NanoCore 0x94d59:$a: NanoCore 0x94d6d:$a: NanoCore 0x94dad:$a: NanoCore 0x94b74:$b: ClientPlugin 0x94d76:$b: ClientPlugin 0x94db6:$b: ClientPlugin 0x477b5:$c: ProjectData 0x94c9b:$c: ProjectData 0x956a2:$d: DESCrypto 0x9d06e:$e: KeepAlive 0x9b05c:$g: LogClientMessage 0x97257:$i: get_Connected 0x959d8:$j: #=q 0x95a08:$j: #=q 0x95a24:$j: #=q 0x95a54:$j: #=q 0x95a70:$j: #=q 0x95a8c:$j: #=q 0x95abc:$j: #=q
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Windows Analysis Report
Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe