Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
692BB93169319EBA2F556174D781A8636D610A67E6838.exe

Overview

General Information

Sample Name:692BB93169319EBA2F556174D781A8636D610A67E6838.exe
Analysis ID:629870
MD5:a93162e62b49a591e0d481e030ffc9ea
SHA1:b0c48a0fc418977051bea837c16aa7928f654da7
SHA256:692bb93169319eba2f556174d781a8636d610a67e6838e19300a8a2454cd8b2b
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • 692BB93169319EBA2F556174D781A8636D610A67E6838.exe (PID: 5844 cmdline: "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe" MD5: A93162E62B49A591E0D481E030FFC9EA)
    • conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 5596 cmdline: "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe" MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • wscript.exe (PID: 2208 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ople.exe.exe (PID: 1796 cmdline: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe MD5: CA51A0A9E3EF192B26D9818DC4EC5FF0)
      • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • RegAsm.exe (PID: 1428 cmdline: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "3b5167aa-3858-4f80-81dc-688e9982", "Group": "AtikuVSDino", "Domain1": "dinolachy.duckdns.org", "Domain2": "127.0.0.1", "Port": 5626, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    Click to see the 43 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.RegAsm.exe.56a4629.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    3.2.RegAsm.exe.56a4629.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xb184:$x2: NanoCore.ClientPluginHost
    • 0xc25f:$s4: PipeCreated
    • 0xb19e:$s5: IClientLoggingHost
    3.2.RegAsm.exe.56a4629.7.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      3.2.RegAsm.exe.56a4629.7.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0xb14f:$x2: NanoCore.ClientPlugin
      • 0xb184:$x3: NanoCore.ClientPluginHost
      • 0xb143:$i2: IClientData
      • 0xb165:$i3: IClientNetwork
      • 0xb174:$i5: IClientDataHost
      • 0xb19e:$i6: IClientLoggingHost
      • 0xb1b1:$i7: IClientNetworkHost
      • 0xb1c4:$i8: IClientUIHost
      • 0xb1d2:$i9: IClientNameObjectCollection
      • 0xb1ee:$i10: IClientReadOnlyNameObjectCollection
      • 0xaf41:$s1: ClientPlugin
      • 0xb158:$s1: ClientPlugin
      • 0x10179:$s6: get_ClientSettings
      12.2.RegAsm.exe.2ffb670.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      Click to see the 88 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Data Obfuscation

      barindex
      Sigma detected: Drops script at startup location
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe, ProcessId: 5844, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "3b5167aa-3858-4f80-81dc-688e9982", "Group": "AtikuVSDino", "Domain1": "dinolachy.duckdns.org", "Domain2": "127.0.0.1", "Port": 5626, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for submitted file
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeVirustotal: Detection: 72%Perma Link
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeMetadefender: Detection: 41%Perma Link
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeReversingLabs: Detection: 73%
      Antivirus / Scanner detection for submitted sample
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeAvira: detection malicious, Label: HEUR/AGEN.1213119
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeReversingLabs: Detection: 63%
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTR
      Machine Learning detection for sample
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeJoe Sandbox ML: detected
      Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.2.RegAsm.exe.56a0000.6.unpackAvira: Label: TR/NanoCore.fadte
      Source: 12.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 12.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdbUGP source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255855415.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255315849.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.293078354.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.291812090.0000000002E50000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255855415.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255315849.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.293078354.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.291812090.0000000002E50000.00000004.00001000.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002651DA FindFirstFileExA,
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB51DA FindFirstFileExA,

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: dinolachy.duckdns.org
      Source: Malware configuration extractorURLs: 127.0.0.1
      Uses dynamic DNS services
      Source: unknownDNS query: name: dinolachy.duckdns.org
      Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
      Source: Joe Sandbox ViewIP Address: 192.169.69.25 192.169.69.25
      Source: Joe Sandbox ViewIP Address: 192.169.69.25 192.169.69.25
      Source: unknownDNS traffic detected: queries for: dinolachy.duckdns.org
      Source: RegAsm.exe, 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 12.2.RegAsm.exe.2ffb670.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.2ffb670.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.2dc5cb4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.RegAsm.exe.5650000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.5650000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 12.2.RegAsm.exe.2ffb670.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.2ffb670.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.2ffb670.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.2dc5cb4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.RegAsm.exe.5650000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.5650000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.5650000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00261000
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_0026B735
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00D04515
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0528E471
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0528E480
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0528BBD4
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB1000
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00ABB735
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_010D4515
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeBinary or memory string: OriginalFilename vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.261116621.0000000002BB6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.256211245.0000000002D3F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000002.269032372.0000000000C90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunobservant.exe6 vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000000.242599852.0000000000275000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameunobservant.exe6 vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeBinary or memory string: OriginalFilenameunobservant.exe6 vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: ople.exe.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeVirustotal: Detection: 72%
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeMetadefender: Detection: 41%
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeReversingLabs: Detection: 73%
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile read: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeJump to behavior
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe"
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe"
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile created: C:\Users\user\AppData\Roaming\etwaJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@10/4@12/2
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3b5167aa-3858-4f80-81dc-688e9982fe68}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs"
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: wntdll.pdbUGP source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255855415.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255315849.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.293078354.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.291812090.0000000002E50000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255855415.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255315849.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.293078354.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.291812090.0000000002E50000.00000004.00001000.00020000.00000000.sdmp
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002627F6 push ecx; ret
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB27F6 push ecx; ret
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile created: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeJump to dropped file

      Boot Survival

      barindex
      Drops VBS files to the startup folder
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbsJump to dropped file
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbsJump to behavior
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbsJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Icon mismatch, binary includes an icon from a different legit application in order to fool users
      Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (4).png
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4368Thread sleep time: -14757395258967632s >= -30000s
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe TID: 5928Thread sleep time: -31025s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6332Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6505
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2973
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1009
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002651DA FindFirstFileExA,
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB51DA FindFirstFileExA,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeThread delayed: delay time: 31025
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: RegAsm.exe, 00000003.00000002.510037415.0000000001195000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/&3OH,
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00262598 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00267394 GetProcessHeap,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00263E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00D04405 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00D04135 mov edx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00D043A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB3E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_010D4135 mov edx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_010D4405 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_010D43A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002626FA SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00262598 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00264D99 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002629CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB26FA SetUnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB4D99 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB2598 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB29CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D72008
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F1E008
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Source: RegAsm.exe, 00000003.00000002.510432918.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.511284047.00000000031D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerh
      Source: RegAsm.exe, 00000003.00000002.510432918.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.514013008.0000000006D3E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: RegAsm.exe, 00000003.00000002.510432918.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.511284047.00000000031D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerL
      Source: RegAsm.exe, 00000003.00000002.510052393.00000000012AD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager h
      Source: RegAsm.exe, 00000003.00000002.510432918.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.511284047.00000000031D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
      Source: RegAsm.exe, 00000003.00000002.513862048.00000000062BD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 'lProgram Manager
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_0026280B cpuid
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00262484 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegAsm.exe, 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: ople.exe.exe, 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegAsm.exe, 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts111
      Scripting      		2
      Registry Run Keys / Startup Folder      		212
      Process Injection      		11
      Masquerading      		11
      Input Capture      		1
      System Time Discovery      		Remote Services11
      Input Capture      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1
      DLL Side-Loading      		2
      Registry Run Keys / Startup Folder      		1
      Disable or Modify Tools      		LSASS Memory121
      Security Software Discovery      		Remote Desktop Protocol11
      Archive Collected Data      		Exfiltration Over Bluetooth1
      Remote Access Software      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)212
      Process Injection      		NTDS21
      Virtualization/Sandbox Evasion      		Distributed Component Object ModelInput CaptureScheduled Transfer21
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common111
      Scripting      		Cached Domain Credentials1
      File and Directory Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      Obfuscated Files or Information      		DCSync23
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
      Software Packing      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
      DLL Side-Loading      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 629870 Sample: 692BB93169319EBA2F556174D78... Startdate: 19/05/2022 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 10 other signatures 2->42 7 692BB93169319EBA2F556174D781A8636D610A67E6838.exe 11 2->7         started        11 wscript.exe 2->11         started        process3 file4 26 C:\Users\user\AppData\...\ople.exe.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\...\ople.exe.vbs, data 7->28 dropped 52 Drops VBS files to the startup folder 7->52 54 Writes to foreign memory regions 7->54 56 Maps a DLL or memory area into another process 7->56 13 RegAsm.exe 6 7->13         started        17 conhost.exe 7->17         started        19 ople.exe.exe 3 11->19         started        signatures5 process6 dnsIp7 32 dinolachy.duckdns.org 192.169.69.25, 49760, 49761, 49762 WOWUS United States 13->32 34 127.0.0.1 unknown unknown 13->34 30 C:\Users\user\AppData\Roaming\...\run.dat, data 13->30 dropped 44 Antivirus detection for dropped file 19->44 46 Multi AV Scanner detection for dropped file 19->46 48 Machine Learning detection for dropped file 19->48 50 2 other signatures 19->50 22 RegAsm.exe 3 19->22         started        24 conhost.exe 19->24         started        file8 signatures9 process10

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      692BB93169319EBA2F556174D781A8636D610A67E6838.exe72%VirustotalBrowse
      692BB93169319EBA2F556174D781A8636D610A67E6838.exe41%MetadefenderBrowse
      692BB93169319EBA2F556174D781A8636D610A67E6838.exe73%ReversingLabsWin32.Trojan.AgentTesla
      692BB93169319EBA2F556174D781A8636D610A67E6838.exe100%AviraHEUR/AGEN.1213119
      692BB93169319EBA2F556174D781A8636D610A67E6838.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\etwa\ople.exe.exe100%AviraHEUR/AGEN.1213119
      C:\Users\user\AppData\Roaming\etwa\ople.exe.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\etwa\ople.exe.exe63%ReversingLabsWin32.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.260000.0.unpack100%AviraHEUR/AGEN.1213119Download File
      3.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      3.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      7.0.ople.exe.exe.ab0000.0.unpack100%AviraHEUR/AGEN.1213119Download File
      3.2.RegAsm.exe.56a0000.6.unpack100%AviraTR/NanoCore.fadteDownload File
      0.0.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.260000.0.unpack100%AviraHEUR/AGEN.1213119Download File
      7.2.ople.exe.exe.ab0000.0.unpack100%AviraHEUR/AGEN.1213119Download File
      12.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      12.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      dinolachy.duckdns.org1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      127.0.0.11%VirustotalBrowse
      127.0.0.10%Avira URL Cloudsafe
      dinolachy.duckdns.org1%VirustotalBrowse
      dinolachy.duckdns.org0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      dinolachy.duckdns.org
      		192.169.69.25
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      127.0.0.1true
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      dinolachy.duckdns.orgtrue
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      192.169.69.25
      		dinolachy.duckdns.orgUnited States
      		23033WOWUStrue

      Private

      IP
      127.0.0.1

      General Information

      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:629870
      Start date and time: 19/05/202205:18:102022-05-19 05:18:10 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 8m 10s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:30
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.expl.evad.winEXE@10/4@12/2
      EGA Information:
      • Successful, ratio: 75%
      HDC Information:
      • Successful, ratio: 87.3% (good quality ratio 79.3%)
      • Quality average: 77.4%
      • Quality standard deviation: 31.9%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Adjust boot time
      • Enable AMSI

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
      • Execution Graph export aborted for target RegAsm.exe, PID 1428 because it is empty
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtProtectVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      05:19:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs
      05:19:40API Interceptor1x Sleep call for process: ople.exe.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1216
      Entropy (8bit):5.355304211458859
      Encrypted:false
      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
      MD5:69206D3AF7D6EFD08F4B4726998856D3
      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
      Malicious:false
      Reputation:high, very likely benign file
      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      File Type:data
      Category:dropped
      Size (bytes):8
      Entropy (8bit):3.0
      Encrypted:false
      SSDEEP:3:Ll:Ll
      MD5:B0D520A58AFBB2268CEB35E278A4EB33
      SHA1:15B41F5F9DC6456482F03330B5450F3C0784F9A3
      SHA-256:D9BE84474B3876A55B0D1BD3971001A9F50C7F3039CEE9C09209C74E9C2BD316
      SHA-512:7E91CC1295EA5B68E151795ED5D6EC93105546405C02C56DC4A459A47865610D164D40635A0E01F91C4B4F63C353BEA0E7947DD4236BD189231235D0B66C605B
      Malicious:true
      Reputation:low
      Preview:f..dF9.H

      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs

      Download File
      Process:C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      File Type:data
      Category:dropped
      Size (bytes):304
      Entropy (8bit):3.410548573208775
      Encrypted:false
      SSDEEP:6:xPW+YR4lAINl1fYlfm3OOQd4l1RIlRKUEZglJPZ60mlRA6DA6nMWl1fYlxCv:xQ4lAN0+vcIlRKMJelRRFSji
      MD5:36615C3E591704897CAC5551FFD58553
      SHA1:ABDC43118D030E3716FA302B5E6B5AA6D7FD3C72
      SHA-256:CF648418AC15FCD4CD81C2AD4E289F149B52FCA8A6198F39EFBE52D71C602B04
      SHA-512:ACE72BF54585FD266CCD8732146C8D1BCE5E4731EC44C18A005759622C938D34C435BED0EAC1EEECCAC732EC1C125566862748B101383BAE8D2C16B45525F1D7
      Malicious:true
      Reputation:low
      Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .S.h.e.l.l.V.a.r. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...S.h.e.l.l.V.a.r...E.x.e.c.(.".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.e.t.w.a.\.o.p.l.e...e.x.e...e.x.e.".)...S.e.t.S.h.e.l.l.V.a.r. .=.N.o.t.h.i.n.g.

      C:\Users\user\AppData\Roaming\etwa\ople.exe.exe

      Download File
      Process:C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      File Type:PE32 executable (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):409170
      Entropy (8bit):7.3076840802364
      Encrypted:false
      SSDEEP:6144:PuWieVAGW6qGWdFlnHCDFrNAiX1AS0mrSMnBX21Cjna06R8fpR4Qq3fS:PVl+nHAZ19RrSMdd6qFyS
      MD5:CA51A0A9E3EF192B26D9818DC4EC5FF0
      SHA1:7D56B8436D501E6CDA892E61FA29BEEEDF65DA0E
      SHA-256:D0250A0B19CC73D8E6A4C97EA7935BA06BA70DD1FB9EEA8C44AEA396DD792A6E
      SHA-512:1997CFD7D25FFE7BB59A9C8A6F7E009D4B693FF4019B0E6698CEFE9FEBD393848C5F4DE9DD3025354E4059EAAD0B29CE2D3B141ED4586B1C7C8DB76303582F15
      Malicious:true
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: ReversingLabs, Detection: 63%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f...........8h.....8h......8h.....!......!......!......8h............9......9............9......Rich....................PE..L......]............................."............@.......................................@..................................!.......`..........................8...P...............................p...@............................................text...G........................... ..`.rdata..(Z.......\..................@..@.data........0....... ..............@....gfids.......P.......(..............@..@.rsrc........`.......*..............@..@.reloc..8...........................@..B........................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:PE32 executable (console) Intel 80386, for MS Windows
      Entropy (8bit):7.307692888739697
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      File size:409169
      MD5:a93162e62b49a591e0d481e030ffc9ea
      SHA1:b0c48a0fc418977051bea837c16aa7928f654da7
      SHA256:692bb93169319eba2f556174d781a8636d610a67e6838e19300a8a2454cd8b2b
      SHA512:2f5c74acd25c9a7fae88736e25e526155d09d5c1c0f66c833c8e6e0c3dfd74fd7d53438089d5de5a07fd2935a78a27a13d3d6ddeef020d42ecafb38497926c25
      SSDEEP:6144:PuWieVAGW6qGWdFlnHCDFrNAiX1AS0mrSMnBX21Cjna06R8fpR4Qq3fm:PVl+nHAZ19RrSMdd6qFym
      TLSH:E3949D52F29698A5E426B1F8A8359D32122B7D9558348A0B31BB312D4E733D3DC77E0F
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f.............8h......8h......8h......!.......!.......!.......8h..............9.......9...............9.......Rich...........

      File Icon

      Icon Hash:4552445c54463289

      Static PE Info

      General

      Entrypoint:0x402212
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows cui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x5DDBF1DC [Mon Nov 25 15:23:08 2019 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:0
      File Version Major:6
      File Version Minor:0
      Subsystem Version Major:6
      Subsystem Version Minor:0
      Import Hash:695a88385098872b689faf1f231ef8ea

      Entrypoint Preview

      Instruction
      call 00007FBE38700972h
      jmp 00007FBE3870058Dh
      push ebp
      mov ebp, esp
      mov eax, dword ptr [ebp+08h]
      push esi
      mov ecx, dword ptr [eax+3Ch]
      add ecx, eax
      movzx eax, word ptr [ecx+14h]
      lea edx, dword ptr [ecx+18h]
      add edx, eax
      movzx eax, word ptr [ecx+06h]
      imul esi, eax, 28h
      add esi, edx
      cmp edx, esi
      je 00007FBE3870071Bh
      mov ecx, dword ptr [ebp+0Ch]
      cmp ecx, dword ptr [edx+0Ch]
      jc 00007FBE3870070Ch
      mov eax, dword ptr [edx+08h]
      add eax, dword ptr [edx+0Ch]
      cmp ecx, eax
      jc 00007FBE3870070Eh
      add edx, 28h
      cmp edx, esi
      jne 00007FBE387006ECh
      xor eax, eax
      pop esi
      pop ebp
      ret
      mov eax, edx
      jmp 00007FBE387006FBh
      call 00007FBE38700E4Fh
      test eax, eax
      jne 00007FBE38700705h
      xor al, al
      ret
      mov eax, dword ptr fs:[00000018h]
      push esi
      mov esi, 00413794h
      mov edx, dword ptr [eax+04h]
      jmp 00007FBE38700706h
      cmp edx, eax
      je 00007FBE38700712h
      xor eax, eax
      mov ecx, edx
      lock cmpxchg dword ptr [esi], ecx
      test eax, eax
      jne 00007FBE387006F2h
      xor al, al
      pop esi
      ret
      mov al, 01h
      pop esi
      ret
      push ebp
      mov ebp, esp
      cmp dword ptr [ebp+08h], 00000000h
      jne 00007FBE38700709h
      mov byte ptr [004137B0h], 00000001h
      call 00007FBE38700C66h
      call 00007FBE387010ECh
      test al, al
      jne 00007FBE38700706h
      xor al, al
      pop ebp
      ret
      call 00007FBE38702A00h
      test al, al
      jne 00007FBE3870070Ch
      push 00000000h
      call 00007FBE387010FDh
      pop ecx
      jmp 00007FBE387006EBh
      mov al, 01h
      pop ebp
      ret
      push ebp
      mov ebp, esp
      sub esp, 0Ch
      push esi
      mov esi, dword ptr [ebp+08h]
      test esi, esi

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x121140xb4.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x18b90.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f0000xe38.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x11a500x1c.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11a700x40.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0xd0000x1b8.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000xbf470xc000False0.579060872396data6.64391063708IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0xd0000x5a280x5c00False0.417246942935data4.87173398485IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x130000x11b80x800False0.17236328125DOS executable (block device driver \277DN)2.05377921789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .gfids0x150000xac0x200False0.271484375data1.40558316368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rsrc0x160000x18b900x18c00False0.210611979167data4.88160389879IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x2f0000xe380x1000False0.744140625data6.17873004973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_ICON0x164b80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
      RT_ICON0x169200x10a8dataEnglishUnited States
      RT_ICON0x179c80x25a8dataEnglishUnited States
      RT_ICON0x19f700x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0EnglishUnited States
      RT_ICON0x1e1980x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 33554431, next used block 33554431EnglishUnited States
      RT_GROUP_ICON0x2e9c00x4cdataEnglishUnited States
      RT_VERSION0x161f00x2c8dataEnglishUnited States
      RT_MANIFEST0x2ea100x17dXML 1.0 document textEnglishUnited States

      Imports

      DLLImport
      KERNEL32.dllVirtualProtect, GetConsoleWindow, CreateFileW, DecodePointer, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, GetStringTypeW, GetFileType, SetStdHandle, LCMapStringW, CompareStringW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, IsValidCodePage, FindNextFileA, FindFirstFileExA, FindClose, CloseHandle, HeapAlloc, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetACP, HeapFree, RaiseException
      imagehlp.dllUnDecorateSymbolName, SymGetSymFromAddr64
      MAPI32.dll
      USER32.dllGetAncestor, SetWindowPos, ChangeMenuA, BroadcastSystemMessage, SubtractRect, IsDialogMessageA, CountClipboardFormats
      mscms.dllDeleteColorTransform, InstallColorProfileA, SetColorProfileHeader, GetPS2ColorRenderingIntent, SetColorProfileElementReference
      WINSPOOL.DRVEnumPrinterDataW, OpenPrinterA, EnumPrinterKeyA
      ODBC32.dll
      msi.dll

      Version Infos

      DescriptionData
      LegalCopyrightCopyright (C) land-born 2019
      InternalNamecardsharper.exe
      FileVersion8.2.1.4
      CompanyNamevanes
      ProductNameaggeration
      ProductVersion7.6.0.2
      FileDescriptionspermary
      OriginalFilenameunobservant.exe
      Translation0x0409 0x04b0

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      May 19, 2022 05:19:35.391271114 CEST497605626192.168.2.4192.169.69.25
      May 19, 2022 05:19:35.604505062 CEST562649760192.169.69.25192.168.2.4
      May 19, 2022 05:19:35.604670048 CEST497605626192.168.2.4192.169.69.25
      May 19, 2022 05:19:35.661648035 CEST497605626192.168.2.4192.169.69.25
      May 19, 2022 05:19:35.899727106 CEST562649760192.169.69.25192.168.2.4
      May 19, 2022 05:19:40.045200109 CEST497615626192.168.2.4192.169.69.25
      May 19, 2022 05:19:40.334722042 CEST562649761192.169.69.25192.168.2.4
      May 19, 2022 05:19:40.334908962 CEST497615626192.168.2.4192.169.69.25
      May 19, 2022 05:19:40.355438948 CEST497615626192.168.2.4192.169.69.25
      May 19, 2022 05:19:40.629517078 CEST562649761192.169.69.25192.168.2.4
      May 19, 2022 05:19:44.675549030 CEST497625626192.168.2.4192.169.69.25
      May 19, 2022 05:19:44.999265909 CEST562649762192.169.69.25192.168.2.4
      May 19, 2022 05:19:44.999759912 CEST497625626192.168.2.4192.169.69.25
      May 19, 2022 05:19:45.004966021 CEST497625626192.168.2.4192.169.69.25
      May 19, 2022 05:19:45.291423082 CEST562649762192.169.69.25192.168.2.4
      May 19, 2022 05:20:04.840961933 CEST497745626192.168.2.4192.169.69.25
      May 19, 2022 05:20:05.154113054 CEST562649774192.169.69.25192.168.2.4
      May 19, 2022 05:20:05.154316902 CEST497745626192.168.2.4192.169.69.25
      May 19, 2022 05:20:05.161387920 CEST497745626192.168.2.4192.169.69.25
      May 19, 2022 05:20:05.464230061 CEST562649774192.169.69.25192.168.2.4
      May 19, 2022 05:20:09.601588964 CEST497755626192.168.2.4192.169.69.25
      May 19, 2022 05:20:09.902873039 CEST562649775192.169.69.25192.168.2.4
      May 19, 2022 05:20:09.903219938 CEST497755626192.168.2.4192.169.69.25
      May 19, 2022 05:20:09.904114008 CEST497755626192.168.2.4192.169.69.25
      May 19, 2022 05:20:10.191227913 CEST562649775192.169.69.25192.168.2.4
      May 19, 2022 05:20:14.236185074 CEST497765626192.168.2.4192.169.69.25
      May 19, 2022 05:20:14.530116081 CEST562649776192.169.69.25192.168.2.4
      May 19, 2022 05:20:14.530278921 CEST497765626192.168.2.4192.169.69.25
      May 19, 2022 05:20:14.530742884 CEST497765626192.168.2.4192.169.69.25
      May 19, 2022 05:20:14.815737009 CEST562649776192.169.69.25192.168.2.4
      May 19, 2022 05:20:34.964564085 CEST498295626192.168.2.4192.169.69.25
      May 19, 2022 05:20:35.244076967 CEST562649829192.169.69.25192.168.2.4
      May 19, 2022 05:20:35.244360924 CEST498295626192.168.2.4192.169.69.25
      May 19, 2022 05:20:35.251326084 CEST498295626192.168.2.4192.169.69.25
      May 19, 2022 05:20:35.520592928 CEST562649829192.169.69.25192.168.2.4
      May 19, 2022 05:20:39.559667110 CEST498375626192.168.2.4192.169.69.25
      May 19, 2022 05:20:39.872410059 CEST562649837192.169.69.25192.168.2.4
      May 19, 2022 05:20:39.872554064 CEST498375626192.168.2.4192.169.69.25
      May 19, 2022 05:20:39.873094082 CEST498375626192.168.2.4192.169.69.25
      May 19, 2022 05:20:40.164750099 CEST562649837192.169.69.25192.168.2.4
      May 19, 2022 05:20:44.291788101 CEST498395626192.168.2.4192.169.69.25
      May 19, 2022 05:20:44.577816963 CEST562649839192.169.69.25192.168.2.4
      May 19, 2022 05:20:44.579777002 CEST498395626192.168.2.4192.169.69.25
      May 19, 2022 05:20:44.602205038 CEST498395626192.168.2.4192.169.69.25
      May 19, 2022 05:20:44.877954006 CEST562649839192.169.69.25192.168.2.4
      May 19, 2022 05:21:04.218692064 CEST498665626192.168.2.4192.169.69.25
      May 19, 2022 05:21:04.455672026 CEST562649866192.169.69.25192.168.2.4
      May 19, 2022 05:21:04.455786943 CEST498665626192.168.2.4192.169.69.25
      May 19, 2022 05:21:04.458276033 CEST498665626192.168.2.4192.169.69.25
      May 19, 2022 05:21:04.747319937 CEST562649866192.169.69.25192.168.2.4
      May 19, 2022 05:21:08.868937969 CEST498695626192.168.2.4192.169.69.25
      May 19, 2022 05:21:09.173266888 CEST562649869192.169.69.25192.168.2.4
      May 19, 2022 05:21:09.173451900 CEST498695626192.168.2.4192.169.69.25
      May 19, 2022 05:21:09.174114943 CEST498695626192.168.2.4192.169.69.25
      May 19, 2022 05:21:09.475833893 CEST562649869192.169.69.25192.168.2.4
      May 19, 2022 05:21:13.529231071 CEST498715626192.168.2.4192.169.69.25
      May 19, 2022 05:21:13.753601074 CEST562649871192.169.69.25192.168.2.4
      May 19, 2022 05:21:13.753717899 CEST498715626192.168.2.4192.169.69.25
      May 19, 2022 05:21:13.763097048 CEST498715626192.168.2.4192.169.69.25
      May 19, 2022 05:21:14.037683010 CEST562649871192.169.69.25192.168.2.4

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      May 19, 2022 05:19:35.271678925 CEST6050653192.168.2.48.8.8.8
      May 19, 2022 05:19:35.380067110 CEST53605068.8.8.8192.168.2.4
      May 19, 2022 05:19:39.935419083 CEST6427753192.168.2.48.8.8.8
      May 19, 2022 05:19:40.044132948 CEST53642778.8.8.8192.168.2.4
      May 19, 2022 05:19:44.650464058 CEST5607653192.168.2.48.8.8.8
      May 19, 2022 05:19:44.667726994 CEST53560768.8.8.8192.168.2.4
      May 19, 2022 05:20:04.727262020 CEST6038153192.168.2.48.8.8.8
      May 19, 2022 05:20:04.837091923 CEST53603818.8.8.8192.168.2.4
      May 19, 2022 05:20:09.485280991 CEST5650953192.168.2.48.8.8.8
      May 19, 2022 05:20:09.593802929 CEST53565098.8.8.8192.168.2.4
      May 19, 2022 05:20:14.216454983 CEST5406953192.168.2.48.8.8.8
      May 19, 2022 05:20:14.234416008 CEST53540698.8.8.8192.168.2.4
      May 19, 2022 05:20:34.752480030 CEST6149753192.168.2.48.8.8.8
      May 19, 2022 05:20:34.861716032 CEST53614978.8.8.8192.168.2.4
      May 19, 2022 05:20:39.538358927 CEST6041853192.168.2.48.8.8.8
      May 19, 2022 05:20:39.558176041 CEST53604188.8.8.8192.168.2.4
      May 19, 2022 05:20:44.182333946 CEST6425953192.168.2.48.8.8.8
      May 19, 2022 05:20:44.290632010 CEST53642598.8.8.8192.168.2.4
      May 19, 2022 05:21:04.108495951 CEST5871553192.168.2.48.8.8.8
      May 19, 2022 05:21:04.217644930 CEST53587158.8.8.8192.168.2.4
      May 19, 2022 05:21:08.758953094 CEST5781653192.168.2.48.8.8.8
      May 19, 2022 05:21:08.867835999 CEST53578168.8.8.8192.168.2.4
      May 19, 2022 05:21:13.507783890 CEST5391653192.168.2.48.8.8.8
      May 19, 2022 05:21:13.527236938 CEST53539168.8.8.8192.168.2.4

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
      May 19, 2022 05:19:35.271678925 CEST192.168.2.48.8.8.80x19ecStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:19:39.935419083 CEST192.168.2.48.8.8.80x5d07Standard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:19:44.650464058 CEST192.168.2.48.8.8.80x6fcfStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:04.727262020 CEST192.168.2.48.8.8.80xf60bStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:09.485280991 CEST192.168.2.48.8.8.80x474Standard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:14.216454983 CEST192.168.2.48.8.8.80x37aStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:34.752480030 CEST192.168.2.48.8.8.80xd39fStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:39.538358927 CEST192.168.2.48.8.8.80x6194Standard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:44.182333946 CEST192.168.2.48.8.8.80x4b2cStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:21:04.108495951 CEST192.168.2.48.8.8.80x30eaStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:21:08.758953094 CEST192.168.2.48.8.8.80xa247Standard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:21:13.507783890 CEST192.168.2.48.8.8.80x5cdeStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
      May 19, 2022 05:19:35.380067110 CEST8.8.8.8192.168.2.40x19ecNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:19:40.044132948 CEST8.8.8.8192.168.2.40x5d07No error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:19:44.667726994 CEST8.8.8.8192.168.2.40x6fcfNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:04.837091923 CEST8.8.8.8192.168.2.40xf60bNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:09.593802929 CEST8.8.8.8192.168.2.40x474No error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:14.234416008 CEST8.8.8.8192.168.2.40x37aNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:34.861716032 CEST8.8.8.8192.168.2.40xd39fNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:39.558176041 CEST8.8.8.8192.168.2.40x6194No error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:44.290632010 CEST8.8.8.8192.168.2.40x4b2cNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:21:04.217644930 CEST8.8.8.8192.168.2.40x30eaNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:21:08.867835999 CEST8.8.8.8192.168.2.40xa247No error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:21:13.527236938 CEST8.8.8.8192.168.2.40x5cdeNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:05:19:17
      Start date:19/05/2022
      Path:C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe"
      Imagebase:0x260000
      File size:409169 bytes
      MD5 hash:A93162E62B49A591E0D481E030FFC9EA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      General

      Target ID:1
      Start time:05:19:18
      Start date:19/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff647620000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:3
      Start time:05:19:25
      Start date:19/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe"
      Imagebase:0xa90000
      File size:64616 bytes
      MD5 hash:6FD7592411112729BF6B1F2F6C34899F
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:high

      General

      Target ID:6
      Start time:05:19:35
      Start date:19/05/2022
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs"
      Imagebase:0x7ff784990000
      File size:163840 bytes
      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:7
      Start time:05:19:36
      Start date:19/05/2022
      Path:C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Imagebase:0xab0000
      File size:409170 bytes
      MD5 hash:CA51A0A9E3EF192B26D9818DC4EC5FF0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
      • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Antivirus matches:
      • Detection: 100%, Avira
      • Detection: 100%, Joe Sandbox ML
      • Detection: 63%, ReversingLabs
      Reputation:low

      General

      Target ID:8
      Start time:05:19:36
      Start date:19/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff647620000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:12
      Start time:05:19:40
      Start date:19/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Imagebase:0xca0000
      File size:64616 bytes
      MD5 hash:6FD7592411112729BF6B1F2F6C34899F
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:high

      Disassembly

      No disassembly