| 14.0.InstallUtil.exe.400000.1.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 14.0.InstallUtil.exe.400000.1.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 14.0.InstallUtil.exe.400000.1.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 15.3.Qjarsxlh.exe.4548ea0.5.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91e4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x56f51:$s4: VmlydHVhbFByb3RlY3Q
|
| 14.2.InstallUtil.exe.400000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 14.2.InstallUtil.exe.400000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 14.2.InstallUtil.exe.400000.0.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 15.2.Qjarsxlh.exe.61c0000.4.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x58d51:$s4: VmlydHVhbFByb3RlY3Q
|
| 0.2.TM57812337.exe.52c0000.4.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91e4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x56f51:$s4: VmlydHVhbFByb3RlY3Q
|
| 16.2.Qjarsxlh.exe.59f0000.4.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x58d51:$s4: VmlydHVhbFByb3RlY3Q
|
| 16.3.Qjarsxlh.exe.3c38e80.2.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91e4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x56f51:$s4: VmlydHVhbFByb3RlY3Q
|
| 15.3.Qjarsxlh.exe.4488e60.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x4b004:$s3: QW1zaVNjYW5CdWZmZXI
- 0x98d71:$s4: VmlydHVhbFByb3RlY3Q
|
| 33.0.InstallUtil.exe.400000.1.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 33.0.InstallUtil.exe.400000.1.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 33.0.InstallUtil.exe.400000.1.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 32.2.InstallUtil.exe.3fb455d.4.raw.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0xb184:$x1: NanoCore.ClientPluginHost
- 0x23c38:$x1: NanoCore.ClientPluginHost
- 0xb1b1:$x2: IClientNetworkHost
- 0x23c65:$x2: IClientNetworkHost
|
| 32.2.InstallUtil.exe.3fb455d.4.raw.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xb184:$x2: NanoCore.ClientPluginHost
- 0x23c38:$x2: NanoCore.ClientPluginHost
- 0xc25f:$s4: PipeCreated
- 0x24d13:$s4: PipeCreated
- 0xb19e:$s5: IClientLoggingHost
- 0x23c52:$s5: IClientLoggingHost
|
| 32.2.InstallUtil.exe.3fb455d.4.raw.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 32.2.InstallUtil.exe.3fb455d.4.raw.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xb14f:$x2: NanoCore.ClientPlugin
- 0x23c03:$x2: NanoCore.ClientPlugin
- 0xb184:$x3: NanoCore.ClientPluginHost
- 0x23c38:$x3: NanoCore.ClientPluginHost
- 0xb143:$i2: IClientData
- 0x23bf7:$i2: IClientData
- 0xb165:$i3: IClientNetwork
- 0x23c19:$i3: IClientNetwork
- 0xb174:$i5: IClientDataHost
- 0x23c28:$i5: IClientDataHost
- 0xb19e:$i6: IClientLoggingHost
- 0x23c52:$i6: IClientLoggingHost
- 0xb1b1:$i7: IClientNetworkHost
- 0x23c65:$i7: IClientNetworkHost
- 0xb1c4:$i8: IClientUIHost
- 0x23c78:$i8: IClientUIHost
- 0xb1d2:$i9: IClientNameObjectCollection
- 0x23c86:$i9: IClientNameObjectCollection
- 0xb1ee:$i10: IClientReadOnlyNameObjectCollection
- 0x23ca2:$i10: IClientReadOnlyNameObjectCollection
- 0xaf41:$s1: ClientPlugin
|
| 16.2.Qjarsxlh.exe.3b87b90.3.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 16.2.Qjarsxlh.exe.3b87b90.3.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 16.2.Qjarsxlh.exe.3b87b90.3.raw.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 0.3.TM57812337.exe.36e8e80.0.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91e4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x56f51:$s4: VmlydHVhbFByb3RlY3Q
|
| 33.0.InstallUtil.exe.400000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 33.0.InstallUtil.exe.400000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 33.0.InstallUtil.exe.400000.0.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 15.3.Qjarsxlh.exe.4548ea0.5.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
| 15.3.Qjarsxlh.exe.4548ea0.5.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x58d51:$s4: VmlydHVhbFByb3RlY3Q
|
| 12.3.Qqsucntzxgqwkiqkvrafiufflip.exe.3ed0b10.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafc8:$s3: QW1zaVNjYW5CdWZmZXI
- 0x2afe8:$s3: QW1zaVNjYW5CdWZmZXI
- 0x6b008:$s3: QW1zaVNjYW5CdWZmZXI
- 0xc7940:$s4: VmlydHVhbFByb3RlY3Q
|
| 0.2.TM57812337.exe.52c0000.4.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x58d51:$s4: VmlydHVhbFByb3RlY3Q
|
| 15.3.Qjarsxlh.exe.44c8e80.0.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x58d51:$s4: VmlydHVhbFByb3RlY3Q
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3f05380.5.raw.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0x1018d:$x1: NanoCore.ClientPluginHost
- 0x101ca:$x2: IClientNetworkHost
- 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3f05380.5.raw.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xff05:$x1: NanoCore Client.exe
- 0x1018d:$x2: NanoCore.ClientPluginHost
- 0x117c6:$s1: PluginCommand
- 0x117ba:$s2: FileCommand
- 0x1266b:$s3: PipeExists
- 0x18422:$s4: PipeCreated
- 0x101b7:$s5: IClientLoggingHost
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3f05380.5.raw.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3f05380.5.raw.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xfef5:$x1: NanoCore Client
- 0xff05:$x1: NanoCore Client
- 0x1014d:$x2: NanoCore.ClientPlugin
- 0x1018d:$x3: NanoCore.ClientPluginHost
- 0x10142:$i1: IClientApp
- 0x10163:$i2: IClientData
- 0x1016f:$i3: IClientNetwork
- 0x1017e:$i4: IClientAppHost
- 0x101a7:$i5: IClientDataHost
- 0x101b7:$i6: IClientLoggingHost
- 0x101ca:$i7: IClientNetworkHost
- 0x101dd:$i8: IClientUIHost
- 0x101eb:$i9: IClientNameObjectCollection
- 0x10207:$i10: IClientReadOnlyNameObjectCollection
- 0xff54:$s1: ClientPlugin
- 0x10156:$s1: ClientPlugin
- 0x1064a:$s2: EndPoint
- 0x10653:$s3: IPAddress
- 0x1065d:$s4: IPEndPoint
- 0x12093:$s6: get_ClientSettings
- 0x12637:$s7: get_Connected
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3f05380.5.raw.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xfef5:$a: NanoCore
- 0xff05:$a: NanoCore
- 0x10139:$a: NanoCore
- 0x1014d:$a: NanoCore
- 0x1018d:$a: NanoCore
- 0xff54:$b: ClientPlugin
- 0x10156:$b: ClientPlugin
- 0x10196:$b: ClientPlugin
- 0x1007b:$c: ProjectData
- 0x10a82:$d: DESCrypto
- 0x1844e:$e: KeepAlive
- 0x1643c:$g: LogClientMessage
- 0x12637:$i: get_Connected
- 0x10db8:$j: #=q
- 0x10de8:$j: #=q
- 0x10e04:$j: #=q
- 0x10e34:$j: #=q
- 0x10e50:$j: #=q
- 0x10e6c:$j: #=q
- 0x10e9c:$j: #=q
- 0x10eb8:$j: #=q
|
| 12.3.Qqsucntzxgqwkiqkvrafiufflip.exe.3fb0b70.4.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91c8:$s3: QW1zaVNjYW5CdWZmZXI
- 0x65b00:$s4: VmlydHVhbFByb3RlY3Q
|
| 33.0.InstallUtil.exe.400000.2.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 33.0.InstallUtil.exe.400000.2.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 33.0.InstallUtil.exe.400000.2.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 32.0.InstallUtil.exe.400000.3.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0x1018d:$x1: NanoCore.ClientPluginHost
- 0x101ca:$x2: IClientNetworkHost
- 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 32.0.InstallUtil.exe.400000.3.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xff05:$x1: NanoCore Client.exe
- 0x1018d:$x2: NanoCore.ClientPluginHost
- 0x117c6:$s1: PluginCommand
- 0x117ba:$s2: FileCommand
- 0x1266b:$s3: PipeExists
- 0x18422:$s4: PipeCreated
- 0x101b7:$s5: IClientLoggingHost
|
| 32.0.InstallUtil.exe.400000.3.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 32.0.InstallUtil.exe.400000.3.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xfef5:$x1: NanoCore Client
- 0xff05:$x1: NanoCore Client
- 0x1014d:$x2: NanoCore.ClientPlugin
- 0x1018d:$x3: NanoCore.ClientPluginHost
- 0x10142:$i1: IClientApp
- 0x10163:$i2: IClientData
- 0x1016f:$i3: IClientNetwork
- 0x1017e:$i4: IClientAppHost
- 0x101a7:$i5: IClientDataHost
- 0x101b7:$i6: IClientLoggingHost
- 0x101ca:$i7: IClientNetworkHost
- 0x101dd:$i8: IClientUIHost
- 0x101eb:$i9: IClientNameObjectCollection
- 0x10207:$i10: IClientReadOnlyNameObjectCollection
- 0xff54:$s1: ClientPlugin
- 0x10156:$s1: ClientPlugin
- 0x1064a:$s2: EndPoint
- 0x10653:$s3: IPAddress
- 0x1065d:$s4: IPEndPoint
- 0x12093:$s6: get_ClientSettings
- 0x12637:$s7: get_Connected
|
| 32.0.InstallUtil.exe.400000.3.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xfef5:$a: NanoCore
- 0xff05:$a: NanoCore
- 0x10139:$a: NanoCore
- 0x1014d:$a: NanoCore
- 0x1018d:$a: NanoCore
- 0xff54:$b: ClientPlugin
- 0x10156:$b: ClientPlugin
- 0x10196:$b: ClientPlugin
- 0x1007b:$c: ProjectData
- 0x10a82:$d: DESCrypto
- 0x1844e:$e: KeepAlive
- 0x1643c:$g: LogClientMessage
- 0x12637:$i: get_Connected
- 0x10db8:$j: #=q
- 0x10de8:$j: #=q
- 0x10e04:$j: #=q
- 0x10e34:$j: #=q
- 0x10e50:$j: #=q
- 0x10e6c:$j: #=q
- 0x10e9c:$j: #=q
- 0x10eb8:$j: #=q
|
| 15.2.Qjarsxlh.exe.61c0000.4.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91e4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x56f51:$s4: VmlydHVhbFByb3RlY3Q
|
| 16.3.Qjarsxlh.exe.3c38e80.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x58d51:$s4: VmlydHVhbFByb3RlY3Q
|
| 16.3.Qjarsxlh.exe.3bf8e60.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x4b004:$s3: QW1zaVNjYW5CdWZmZXI
- 0x98d71:$s4: VmlydHVhbFByb3RlY3Q
|
| 15.2.Qjarsxlh.exe.4417b90.3.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 15.2.Qjarsxlh.exe.4417b90.3.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 15.2.Qjarsxlh.exe.4417b90.3.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x30d4c:$s10: logins
- 0x307b3:$s11: credential
- 0x2cd9d:$g1: get_Clipboard
- 0x2cdab:$g2: get_Keyboard
- 0x2cdb8:$g3: get_Password
- 0x2e0a4:$g4: get_CtrlKeyDown
- 0x2e0b4:$g5: get_ShiftKeyDown
- 0x2e0c5:$g6: get_AltKeyDown
|
| 32.2.InstallUtil.exe.2fcb430.1.raw.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0xe75:$x1: NanoCore.ClientPluginHost
- 0xe8f:$x2: IClientNetworkHost
|
| 32.2.InstallUtil.exe.2fcb430.1.raw.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xe75:$x2: NanoCore.ClientPluginHost
- 0x1261:$s3: PipeExists
- 0x1136:$s4: PipeCreated
- 0xeb0:$s5: IClientLoggingHost
|
| 32.2.InstallUtil.exe.2fcb430.1.raw.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xe38:$x2: NanoCore.ClientPlugin
- 0xe75:$x3: NanoCore.ClientPluginHost
- 0xe5a:$i1: IClientApp
- 0xe4e:$i2: IClientData
- 0xe29:$i3: IClientNetwork
- 0xec3:$i4: IClientAppHost
- 0xe65:$i5: IClientDataHost
- 0xeb0:$i6: IClientLoggingHost
- 0xe8f:$i7: IClientNetworkHost
- 0xea2:$i8: IClientUIHost
- 0xed2:$i9: IClientNameObjectCollection
- 0xef7:$i10: IClientReadOnlyNameObjectCollection
- 0xe41:$s1: ClientPlugin
- 0x177c:$s1: ClientPlugin
- 0x1789:$s1: ClientPlugin
- 0x1e0b0:$s1: ClientPlugin
- 0x11f9:$s6: get_ClientSettings
- 0x1249:$s7: get_Connected
|
| 16.3.Qjarsxlh.exe.3bd8e40.0.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x2b004:$s3: QW1zaVNjYW5CdWZmZXI
- 0x6b024:$s3: QW1zaVNjYW5CdWZmZXI
- 0xb8d91:$s4: VmlydHVhbFByb3RlY3Q
|
| 32.0.InstallUtil.exe.400000.0.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0x1018d:$x1: NanoCore.ClientPluginHost
- 0x101ca:$x2: IClientNetworkHost
- 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 32.0.InstallUtil.exe.400000.0.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xff05:$x1: NanoCore Client.exe
- 0x1018d:$x2: NanoCore.ClientPluginHost
- 0x117c6:$s1: PluginCommand
- 0x117ba:$s2: FileCommand
- 0x1266b:$s3: PipeExists
- 0x18422:$s4: PipeCreated
- 0x101b7:$s5: IClientLoggingHost
|
| 32.0.InstallUtil.exe.400000.0.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 32.0.InstallUtil.exe.400000.0.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xfef5:$x1: NanoCore Client
- 0xff05:$x1: NanoCore Client
- 0x1014d:$x2: NanoCore.ClientPlugin
- 0x1018d:$x3: NanoCore.ClientPluginHost
- 0x10142:$i1: IClientApp
- 0x10163:$i2: IClientData
- 0x1016f:$i3: IClientNetwork
- 0x1017e:$i4: IClientAppHost
- 0x101a7:$i5: IClientDataHost
- 0x101b7:$i6: IClientLoggingHost
- 0x101ca:$i7: IClientNetworkHost
- 0x101dd:$i8: IClientUIHost
- 0x101eb:$i9: IClientNameObjectCollection
- 0x10207:$i10: IClientReadOnlyNameObjectCollection
- 0xff54:$s1: ClientPlugin
- 0x10156:$s1: ClientPlugin
- 0x1064a:$s2: EndPoint
- 0x10653:$s3: IPAddress
- 0x1065d:$s4: IPEndPoint
- 0x12093:$s6: get_ClientSettings
- 0x12637:$s7: get_Connected
|
| 32.0.InstallUtil.exe.400000.0.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xfef5:$a: NanoCore
- 0xff05:$a: NanoCore
- 0x10139:$a: NanoCore
- 0x1014d:$a: NanoCore
- 0x1018d:$a: NanoCore
- 0xff54:$b: ClientPlugin
- 0x10156:$b: ClientPlugin
- 0x10196:$b: ClientPlugin
- 0x1007b:$c: ProjectData
- 0x10a82:$d: DESCrypto
- 0x1844e:$e: KeepAlive
- 0x1643c:$g: LogClientMessage
- 0x12637:$i: get_Connected
- 0x10db8:$j: #=q
- 0x10de8:$j: #=q
- 0x10e04:$j: #=q
- 0x10e34:$j: #=q
- 0x10e50:$j: #=q
- 0x10e6c:$j: #=q
- 0x10e9c:$j: #=q
- 0x10eb8:$j: #=q
|
| 16.2.Qjarsxlh.exe.3b87b90.3.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 16.2.Qjarsxlh.exe.3b87b90.3.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 16.2.Qjarsxlh.exe.3b87b90.3.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x30d4c:$s10: logins
- 0x307b3:$s11: credential
- 0x2cd9d:$g1: get_Clipboard
- 0x2cdab:$g2: get_Keyboard
- 0x2cdb8:$g3: get_Password
- 0x2e0a4:$g4: get_CtrlKeyDown
- 0x2e0b4:$g5: get_ShiftKeyDown
- 0x2e0c5:$g6: get_AltKeyDown
|
| 0.3.TM57812337.exe.3768ea0.3.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91e4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x56f51:$s4: VmlydHVhbFByb3RlY3Q
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3eb5360.3.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0xe38d:$x1: NanoCore.ClientPluginHost
- 0xe3ca:$x2: IClientNetworkHost
- 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3eb5360.3.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xe105:$x1: NanoCore Client.exe
- 0xe38d:$x2: NanoCore.ClientPluginHost
- 0xf9c6:$s1: PluginCommand
- 0xf9ba:$s2: FileCommand
- 0x1086b:$s3: PipeExists
- 0x16622:$s4: PipeCreated
- 0xe3b7:$s5: IClientLoggingHost
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3eb5360.3.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3eb5360.3.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xe0f5:$x1: NanoCore Client
- 0xe105:$x1: NanoCore Client
- 0xe34d:$x2: NanoCore.ClientPlugin
- 0xe38d:$x3: NanoCore.ClientPluginHost
- 0xe342:$i1: IClientApp
- 0xe363:$i2: IClientData
- 0xe36f:$i3: IClientNetwork
- 0xe37e:$i4: IClientAppHost
- 0xe3a7:$i5: IClientDataHost
- 0xe3b7:$i6: IClientLoggingHost
- 0xe3ca:$i7: IClientNetworkHost
- 0xe3dd:$i8: IClientUIHost
- 0xe3eb:$i9: IClientNameObjectCollection
- 0xe407:$i10: IClientReadOnlyNameObjectCollection
- 0xe154:$s1: ClientPlugin
- 0xe356:$s1: ClientPlugin
- 0xe84a:$s2: EndPoint
- 0xe853:$s3: IPAddress
- 0xe85d:$s4: IPEndPoint
- 0x10293:$s6: get_ClientSettings
- 0x10837:$s7: get_Connected
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3eb5360.3.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xe0f5:$a: NanoCore
- 0xe105:$a: NanoCore
- 0xe339:$a: NanoCore
- 0xe34d:$a: NanoCore
- 0xe38d:$a: NanoCore
- 0xe154:$b: ClientPlugin
- 0xe356:$b: ClientPlugin
- 0xe396:$b: ClientPlugin
- 0xe27b:$c: ProjectData
- 0xec82:$d: DESCrypto
- 0x1664e:$e: KeepAlive
- 0x1463c:$g: LogClientMessage
- 0x10837:$i: get_Connected
- 0xefb8:$j: #=q
- 0xefe8:$j: #=q
- 0xf004:$j: #=q
- 0xf034:$j: #=q
- 0xf050:$j: #=q
- 0xf06c:$j: #=q
- 0xf09c:$j: #=q
- 0xf0b8:$j: #=q
|
| 15.3.Qjarsxlh.exe.44c8e80.0.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91e4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x56f51:$s4: VmlydHVhbFByb3RlY3Q
|
| 32.2.InstallUtil.exe.6090000.5.raw.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0xe75:$x1: NanoCore.ClientPluginHost
- 0xe8f:$x2: IClientNetworkHost
|
| 32.2.InstallUtil.exe.6090000.5.raw.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xe75:$x2: NanoCore.ClientPluginHost
- 0x1261:$s3: PipeExists
- 0x1136:$s4: PipeCreated
- 0xeb0:$s5: IClientLoggingHost
|
| 32.2.InstallUtil.exe.6090000.5.raw.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xe38:$x2: NanoCore.ClientPlugin
- 0xe75:$x3: NanoCore.ClientPluginHost
- 0xe5a:$i1: IClientApp
- 0xe4e:$i2: IClientData
- 0xe29:$i3: IClientNetwork
- 0xec3:$i4: IClientAppHost
- 0xe65:$i5: IClientDataHost
- 0xeb0:$i6: IClientLoggingHost
- 0xe8f:$i7: IClientNetworkHost
- 0xea2:$i8: IClientUIHost
- 0xed2:$i9: IClientNameObjectCollection
- 0xef7:$i10: IClientReadOnlyNameObjectCollection
- 0xe41:$s1: ClientPlugin
- 0x177c:$s1: ClientPlugin
- 0x1789:$s1: ClientPlugin
- 0x11f9:$s6: get_ClientSettings
- 0x1249:$s7: get_Connected
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3f05380.5.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0xe38d:$x1: NanoCore.ClientPluginHost
- 0xe3ca:$x2: IClientNetworkHost
- 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3f05380.5.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xe105:$x1: NanoCore Client.exe
- 0xe38d:$x2: NanoCore.ClientPluginHost
- 0xf9c6:$s1: PluginCommand
- 0xf9ba:$s2: FileCommand
- 0x1086b:$s3: PipeExists
- 0x16622:$s4: PipeCreated
- 0xe3b7:$s5: IClientLoggingHost
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3f05380.5.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3f05380.5.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xe0f5:$x1: NanoCore Client
- 0xe105:$x1: NanoCore Client
- 0xe34d:$x2: NanoCore.ClientPlugin
- 0xe38d:$x3: NanoCore.ClientPluginHost
- 0xe342:$i1: IClientApp
- 0xe363:$i2: IClientData
- 0xe36f:$i3: IClientNetwork
- 0xe37e:$i4: IClientAppHost
- 0xe3a7:$i5: IClientDataHost
- 0xe3b7:$i6: IClientLoggingHost
- 0xe3ca:$i7: IClientNetworkHost
- 0xe3dd:$i8: IClientUIHost
- 0xe3eb:$i9: IClientNameObjectCollection
- 0xe407:$i10: IClientReadOnlyNameObjectCollection
- 0xe154:$s1: ClientPlugin
- 0xe356:$s1: ClientPlugin
- 0xe84a:$s2: EndPoint
- 0xe853:$s3: IPAddress
- 0xe85d:$s4: IPEndPoint
- 0x10293:$s6: get_ClientSettings
- 0x10837:$s7: get_Connected
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3f05380.5.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xe0f5:$a: NanoCore
- 0xe105:$a: NanoCore
- 0xe339:$a: NanoCore
- 0xe34d:$a: NanoCore
- 0xe38d:$a: NanoCore
- 0xe154:$b: ClientPlugin
- 0xe356:$b: ClientPlugin
- 0xe396:$b: ClientPlugin
- 0xe27b:$c: ProjectData
- 0xec82:$d: DESCrypto
- 0x1664e:$e: KeepAlive
- 0x1463c:$g: LogClientMessage
- 0x10837:$i: get_Connected
- 0xefb8:$j: #=q
- 0xefe8:$j: #=q
- 0xf004:$j: #=q
- 0xf034:$j: #=q
- 0xf050:$j: #=q
- 0xf06c:$j: #=q
- 0xf09c:$j: #=q
- 0xf0b8:$j: #=q
|
| 32.0.InstallUtil.exe.400000.2.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0x1018d:$x1: NanoCore.ClientPluginHost
- 0x101ca:$x2: IClientNetworkHost
- 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 32.0.InstallUtil.exe.400000.2.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xff05:$x1: NanoCore Client.exe
- 0x1018d:$x2: NanoCore.ClientPluginHost
- 0x117c6:$s1: PluginCommand
- 0x117ba:$s2: FileCommand
- 0x1266b:$s3: PipeExists
- 0x18422:$s4: PipeCreated
- 0x101b7:$s5: IClientLoggingHost
|
| 32.0.InstallUtil.exe.400000.2.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 32.0.InstallUtil.exe.400000.2.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xfef5:$x1: NanoCore Client
- 0xff05:$x1: NanoCore Client
- 0x1014d:$x2: NanoCore.ClientPlugin
- 0x1018d:$x3: NanoCore.ClientPluginHost
- 0x10142:$i1: IClientApp
- 0x10163:$i2: IClientData
- 0x1016f:$i3: IClientNetwork
- 0x1017e:$i4: IClientAppHost
- 0x101a7:$i5: IClientDataHost
- 0x101b7:$i6: IClientLoggingHost
- 0x101ca:$i7: IClientNetworkHost
- 0x101dd:$i8: IClientUIHost
- 0x101eb:$i9: IClientNameObjectCollection
- 0x10207:$i10: IClientReadOnlyNameObjectCollection
- 0xff54:$s1: ClientPlugin
- 0x10156:$s1: ClientPlugin
- 0x1064a:$s2: EndPoint
- 0x10653:$s3: IPAddress
- 0x1065d:$s4: IPEndPoint
- 0x12093:$s6: get_ClientSettings
- 0x12637:$s7: get_Connected
|
| 32.0.InstallUtil.exe.400000.2.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xfef5:$a: NanoCore
- 0xff05:$a: NanoCore
- 0x10139:$a: NanoCore
- 0x1014d:$a: NanoCore
- 0x1018d:$a: NanoCore
- 0xff54:$b: ClientPlugin
- 0x10156:$b: ClientPlugin
- 0x10196:$b: ClientPlugin
- 0x1007b:$c: ProjectData
- 0x10a82:$d: DESCrypto
- 0x1844e:$e: KeepAlive
- 0x1643c:$g: LogClientMessage
- 0x12637:$i: get_Connected
- 0x10db8:$j: #=q
- 0x10de8:$j: #=q
- 0x10e04:$j: #=q
- 0x10e34:$j: #=q
- 0x10e50:$j: #=q
- 0x10e6c:$j: #=q
- 0x10e9c:$j: #=q
- 0x10eb8:$j: #=q
|
| 32.0.InstallUtil.exe.400000.4.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0x1018d:$x1: NanoCore.ClientPluginHost
- 0x101ca:$x2: IClientNetworkHost
- 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 32.0.InstallUtil.exe.400000.4.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xff05:$x1: NanoCore Client.exe
- 0x1018d:$x2: NanoCore.ClientPluginHost
- 0x117c6:$s1: PluginCommand
- 0x117ba:$s2: FileCommand
- 0x1266b:$s3: PipeExists
- 0x18422:$s4: PipeCreated
- 0x101b7:$s5: IClientLoggingHost
|
| 32.0.InstallUtil.exe.400000.4.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 32.0.InstallUtil.exe.400000.4.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xfef5:$x1: NanoCore Client
- 0xff05:$x1: NanoCore Client
- 0x1014d:$x2: NanoCore.ClientPlugin
- 0x1018d:$x3: NanoCore.ClientPluginHost
- 0x10142:$i1: IClientApp
- 0x10163:$i2: IClientData
- 0x1016f:$i3: IClientNetwork
- 0x1017e:$i4: IClientAppHost
- 0x101a7:$i5: IClientDataHost
- 0x101b7:$i6: IClientLoggingHost
- 0x101ca:$i7: IClientNetworkHost
- 0x101dd:$i8: IClientUIHost
- 0x101eb:$i9: IClientNameObjectCollection
- 0x10207:$i10: IClientReadOnlyNameObjectCollection
- 0xff54:$s1: ClientPlugin
- 0x10156:$s1: ClientPlugin
- 0x1064a:$s2: EndPoint
- 0x10653:$s3: IPAddress
- 0x1065d:$s4: IPEndPoint
- 0x12093:$s6: get_ClientSettings
- 0x12637:$s7: get_Connected
|
| 32.0.InstallUtil.exe.400000.4.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xfef5:$a: NanoCore
- 0xff05:$a: NanoCore
- 0x10139:$a: NanoCore
- 0x1014d:$a: NanoCore
- 0x1018d:$a: NanoCore
- 0xff54:$b: ClientPlugin
- 0x10156:$b: ClientPlugin
- 0x10196:$b: ClientPlugin
- 0x1007b:$c: ProjectData
- 0x10a82:$d: DESCrypto
- 0x1844e:$e: KeepAlive
- 0x1643c:$g: LogClientMessage
- 0x12637:$i: get_Connected
- 0x10db8:$j: #=q
- 0x10de8:$j: #=q
- 0x10e04:$j: #=q
- 0x10e34:$j: #=q
- 0x10e50:$j: #=q
- 0x10e6c:$j: #=q
- 0x10e9c:$j: #=q
- 0x10eb8:$j: #=q
|
| 33.0.InstallUtil.exe.400000.4.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 33.0.InstallUtil.exe.400000.4.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 33.0.InstallUtil.exe.400000.4.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 32.0.InstallUtil.exe.400000.1.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0x1018d:$x1: NanoCore.ClientPluginHost
- 0x101ca:$x2: IClientNetworkHost
- 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 32.0.InstallUtil.exe.400000.1.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xff05:$x1: NanoCore Client.exe
- 0x1018d:$x2: NanoCore.ClientPluginHost
- 0x117c6:$s1: PluginCommand
- 0x117ba:$s2: FileCommand
- 0x1266b:$s3: PipeExists
- 0x18422:$s4: PipeCreated
- 0x101b7:$s5: IClientLoggingHost
|
| 32.0.InstallUtil.exe.400000.1.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 32.0.InstallUtil.exe.400000.1.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xfef5:$x1: NanoCore Client
- 0xff05:$x1: NanoCore Client
- 0x1014d:$x2: NanoCore.ClientPlugin
- 0x1018d:$x3: NanoCore.ClientPluginHost
- 0x10142:$i1: IClientApp
- 0x10163:$i2: IClientData
- 0x1016f:$i3: IClientNetwork
- 0x1017e:$i4: IClientAppHost
- 0x101a7:$i5: IClientDataHost
- 0x101b7:$i6: IClientLoggingHost
- 0x101ca:$i7: IClientNetworkHost
- 0x101dd:$i8: IClientUIHost
- 0x101eb:$i9: IClientNameObjectCollection
- 0x10207:$i10: IClientReadOnlyNameObjectCollection
- 0xff54:$s1: ClientPlugin
- 0x10156:$s1: ClientPlugin
- 0x1064a:$s2: EndPoint
- 0x10653:$s3: IPAddress
- 0x1065d:$s4: IPEndPoint
- 0x12093:$s6: get_ClientSettings
- 0x12637:$s7: get_Connected
|
| 32.0.InstallUtil.exe.400000.1.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xfef5:$a: NanoCore
- 0xff05:$a: NanoCore
- 0x10139:$a: NanoCore
- 0x1014d:$a: NanoCore
- 0x1018d:$a: NanoCore
- 0xff54:$b: ClientPlugin
- 0x10156:$b: ClientPlugin
- 0x10196:$b: ClientPlugin
- 0x1007b:$c: ProjectData
- 0x10a82:$d: DESCrypto
- 0x1844e:$e: KeepAlive
- 0x1643c:$g: LogClientMessage
- 0x12637:$i: get_Connected
- 0x10db8:$j: #=q
- 0x10de8:$j: #=q
- 0x10e04:$j: #=q
- 0x10e34:$j: #=q
- 0x10e50:$j: #=q
- 0x10e6c:$j: #=q
- 0x10e9c:$j: #=q
- 0x10eb8:$j: #=q
|
| 16.3.Qjarsxlh.exe.3cb8ea0.5.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
| 16.3.Qjarsxlh.exe.3cb8ea0.5.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x58d51:$s4: VmlydHVhbFByb3RlY3Q
|
| 16.3.Qjarsxlh.exe.3cb8ea0.5.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91e4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x56f51:$s4: VmlydHVhbFByb3RlY3Q
|
| 12.3.Qqsucntzxgqwkiqkvrafiufflip.exe.3f30b50.0.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafc8:$s3: QW1zaVNjYW5CdWZmZXI
- 0x67900:$s4: VmlydHVhbFByb3RlY3Q
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3eb5360.3.raw.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0x1018d:$x1: NanoCore.ClientPluginHost
- 0x101ca:$x2: IClientNetworkHost
- 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3eb5360.3.raw.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xff05:$x1: NanoCore Client.exe
- 0x1018d:$x2: NanoCore.ClientPluginHost
- 0x117c6:$s1: PluginCommand
- 0x117ba:$s2: FileCommand
- 0x1266b:$s3: PipeExists
- 0x18422:$s4: PipeCreated
- 0x101b7:$s5: IClientLoggingHost
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3eb5360.3.raw.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3eb5360.3.raw.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xfef5:$x1: NanoCore Client
- 0xff05:$x1: NanoCore Client
- 0x1014d:$x2: NanoCore.ClientPlugin
- 0x1018d:$x3: NanoCore.ClientPluginHost
- 0x10142:$i1: IClientApp
- 0x10163:$i2: IClientData
- 0x1016f:$i3: IClientNetwork
- 0x1017e:$i4: IClientAppHost
- 0x101a7:$i5: IClientDataHost
- 0x101b7:$i6: IClientLoggingHost
- 0x101ca:$i7: IClientNetworkHost
- 0x101dd:$i8: IClientUIHost
- 0x101eb:$i9: IClientNameObjectCollection
- 0x10207:$i10: IClientReadOnlyNameObjectCollection
- 0xff54:$s1: ClientPlugin
- 0x10156:$s1: ClientPlugin
- 0x1064a:$s2: EndPoint
- 0x10653:$s3: IPAddress
- 0x1065d:$s4: IPEndPoint
- 0x12093:$s6: get_ClientSettings
- 0x12637:$s7: get_Connected
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3eb5360.3.raw.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xfef5:$a: NanoCore
- 0xff05:$a: NanoCore
- 0x10139:$a: NanoCore
- 0x1014d:$a: NanoCore
- 0x1018d:$a: NanoCore
- 0xff54:$b: ClientPlugin
- 0x10156:$b: ClientPlugin
- 0x10196:$b: ClientPlugin
- 0x1007b:$c: ProjectData
- 0x10a82:$d: DESCrypto
- 0x1844e:$e: KeepAlive
- 0x1643c:$g: LogClientMessage
- 0x12637:$i: get_Connected
- 0x10db8:$j: #=q
- 0x10de8:$j: #=q
- 0x10e04:$j: #=q
- 0x10e34:$j: #=q
- 0x10e50:$j: #=q
- 0x10e6c:$j: #=q
- 0x10e9c:$j: #=q
- 0x10eb8:$j: #=q
|
| 32.2.InstallUtil.exe.3faff34.3.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0xd9ad:$x1: NanoCore.ClientPluginHost
- 0xd9da:$x2: IClientNetworkHost
|
| 32.2.InstallUtil.exe.3faff34.3.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xd9ad:$x2: NanoCore.ClientPluginHost
- 0xea88:$s4: PipeCreated
- 0xd9c7:$s5: IClientLoggingHost
|
| 32.2.InstallUtil.exe.3faff34.3.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 32.2.InstallUtil.exe.3faff34.3.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xd978:$x2: NanoCore.ClientPlugin
- 0xd9ad:$x3: NanoCore.ClientPluginHost
- 0xd96c:$i2: IClientData
- 0xd98e:$i3: IClientNetwork
- 0xd99d:$i5: IClientDataHost
- 0xd9c7:$i6: IClientLoggingHost
- 0xd9da:$i7: IClientNetworkHost
- 0xd9ed:$i8: IClientUIHost
- 0xd9fb:$i9: IClientNameObjectCollection
- 0xda17:$i10: IClientReadOnlyNameObjectCollection
- 0xd76a:$s1: ClientPlugin
- 0xd981:$s1: ClientPlugin
- 0x129a2:$s6: get_ClientSettings
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3e8d340.4.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0xe38d:$x1: NanoCore.ClientPluginHost
- 0xe3ca:$x2: IClientNetworkHost
- 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3e8d340.4.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xe105:$x1: NanoCore Client.exe
- 0xe38d:$x2: NanoCore.ClientPluginHost
- 0xf9c6:$s1: PluginCommand
- 0xf9ba:$s2: FileCommand
- 0x1086b:$s3: PipeExists
- 0x16622:$s4: PipeCreated
- 0xe3b7:$s5: IClientLoggingHost
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3e8d340.4.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3e8d340.4.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xe0f5:$x1: NanoCore Client
- 0xe105:$x1: NanoCore Client
- 0xe34d:$x2: NanoCore.ClientPlugin
- 0xe38d:$x3: NanoCore.ClientPluginHost
- 0xe342:$i1: IClientApp
- 0xe363:$i2: IClientData
- 0xe36f:$i3: IClientNetwork
- 0xe37e:$i4: IClientAppHost
- 0xe3a7:$i5: IClientDataHost
- 0xe3b7:$i6: IClientLoggingHost
- 0xe3ca:$i7: IClientNetworkHost
- 0xe3dd:$i8: IClientUIHost
- 0xe3eb:$i9: IClientNameObjectCollection
- 0xe407:$i10: IClientReadOnlyNameObjectCollection
- 0xe154:$s1: ClientPlugin
- 0xe356:$s1: ClientPlugin
- 0xe84a:$s2: EndPoint
- 0xe853:$s3: IPAddress
- 0xe85d:$s4: IPEndPoint
- 0x10293:$s6: get_ClientSettings
- 0x10837:$s7: get_Connected
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3e8d340.4.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xe0f5:$a: NanoCore
- 0xe105:$a: NanoCore
- 0xe339:$a: NanoCore
- 0xe34d:$a: NanoCore
- 0xe38d:$a: NanoCore
- 0xe154:$b: ClientPlugin
- 0xe356:$b: ClientPlugin
- 0xe396:$b: ClientPlugin
- 0xe27b:$c: ProjectData
- 0xec82:$d: DESCrypto
- 0x1664e:$e: KeepAlive
- 0x1463c:$g: LogClientMessage
- 0x10837:$i: get_Connected
- 0xefb8:$j: #=q
- 0xefe8:$j: #=q
- 0xf004:$j: #=q
- 0xf034:$j: #=q
- 0xf050:$j: #=q
- 0xf06c:$j: #=q
- 0xf09c:$j: #=q
- 0xf0b8:$j: #=q
|
| 32.2.InstallUtil.exe.3fab0fe.2.raw.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0xe75:$x1: NanoCore.ClientPluginHost
- 0x145e3:$x1: NanoCore.ClientPluginHost
- 0x2d097:$x1: NanoCore.ClientPluginHost
- 0xe8f:$x2: IClientNetworkHost
- 0x14610:$x2: IClientNetworkHost
- 0x2d0c4:$x2: IClientNetworkHost
|
| 32.2.InstallUtil.exe.3fab0fe.2.raw.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xe75:$x2: NanoCore.ClientPluginHost
- 0x145e3:$x2: NanoCore.ClientPluginHost
- 0x2d097:$x2: NanoCore.ClientPluginHost
- 0x1261:$s3: PipeExists
- 0x1136:$s4: PipeCreated
- 0x156be:$s4: PipeCreated
- 0x2e172:$s4: PipeCreated
- 0xeb0:$s5: IClientLoggingHost
- 0x145fd:$s5: IClientLoggingHost
- 0x2d0b1:$s5: IClientLoggingHost
|
| 32.2.InstallUtil.exe.3fab0fe.2.raw.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 32.2.InstallUtil.exe.3fab0fe.2.raw.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xe38:$x2: NanoCore.ClientPlugin
- 0x145ae:$x2: NanoCore.ClientPlugin
- 0x2d062:$x2: NanoCore.ClientPlugin
- 0xe75:$x3: NanoCore.ClientPluginHost
- 0x145e3:$x3: NanoCore.ClientPluginHost
- 0x2d097:$x3: NanoCore.ClientPluginHost
- 0xe5a:$i1: IClientApp
- 0xe4e:$i2: IClientData
- 0x145a2:$i2: IClientData
- 0x2d056:$i2: IClientData
- 0xe29:$i3: IClientNetwork
- 0x145c4:$i3: IClientNetwork
- 0x2d078:$i3: IClientNetwork
- 0xec3:$i4: IClientAppHost
- 0xe65:$i5: IClientDataHost
- 0x145d3:$i5: IClientDataHost
- 0x2d087:$i5: IClientDataHost
- 0xeb0:$i6: IClientLoggingHost
- 0x145fd:$i6: IClientLoggingHost
- 0x2d0b1:$i6: IClientLoggingHost
- 0xe8f:$i7: IClientNetworkHost
|
| 32.2.InstallUtil.exe.3fab0fe.2.raw.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xddf:$a: NanoCore
- 0xe38:$a: NanoCore
- 0xe75:$a: NanoCore
- 0xeee:$a: NanoCore
- 0x14599:$a: NanoCore
- 0x145ae:$a: NanoCore
- 0x145e3:$a: NanoCore
- 0x2d04d:$a: NanoCore
- 0x2d062:$a: NanoCore
- 0x2d097:$a: NanoCore
- 0xe41:$b: ClientPlugin
- 0xe7e:$b: ClientPlugin
- 0x177c:$b: ClientPlugin
- 0x1789:$b: ClientPlugin
- 0x14355:$b: ClientPlugin
- 0x14370:$b: ClientPlugin
- 0x143a0:$b: ClientPlugin
- 0x145b7:$b: ClientPlugin
- 0x145ec:$b: ClientPlugin
- 0x2ce09:$b: ClientPlugin
- 0x2ce24:$b: ClientPlugin
|
| 0.3.TM57812337.exe.36e8e80.0.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x58d51:$s4: VmlydHVhbFByb3RlY3Q
|
| 14.0.InstallUtil.exe.400000.4.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 14.0.InstallUtil.exe.400000.4.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 14.0.InstallUtil.exe.400000.4.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 32.2.InstallUtil.exe.400000.0.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0x1018d:$x1: NanoCore.ClientPluginHost
- 0x101ca:$x2: IClientNetworkHost
- 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 32.2.InstallUtil.exe.400000.0.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xff05:$x1: NanoCore Client.exe
- 0x1018d:$x2: NanoCore.ClientPluginHost
- 0x117c6:$s1: PluginCommand
- 0x117ba:$s2: FileCommand
- 0x1266b:$s3: PipeExists
- 0x18422:$s4: PipeCreated
- 0x101b7:$s5: IClientLoggingHost
|
| 32.2.InstallUtil.exe.400000.0.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 32.2.InstallUtil.exe.400000.0.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xfef5:$x1: NanoCore Client
- 0xff05:$x1: NanoCore Client
- 0x1014d:$x2: NanoCore.ClientPlugin
- 0x1018d:$x3: NanoCore.ClientPluginHost
- 0x10142:$i1: IClientApp
- 0x10163:$i2: IClientData
- 0x1016f:$i3: IClientNetwork
- 0x1017e:$i4: IClientAppHost
- 0x101a7:$i5: IClientDataHost
- 0x101b7:$i6: IClientLoggingHost
- 0x101ca:$i7: IClientNetworkHost
- 0x101dd:$i8: IClientUIHost
- 0x101eb:$i9: IClientNameObjectCollection
- 0x10207:$i10: IClientReadOnlyNameObjectCollection
- 0xff54:$s1: ClientPlugin
- 0x10156:$s1: ClientPlugin
- 0x1064a:$s2: EndPoint
- 0x10653:$s3: IPAddress
- 0x1065d:$s4: IPEndPoint
- 0x12093:$s6: get_ClientSettings
- 0x12637:$s7: get_Connected
|
| 32.2.InstallUtil.exe.400000.0.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xfef5:$a: NanoCore
- 0xff05:$a: NanoCore
- 0x10139:$a: NanoCore
- 0x1014d:$a: NanoCore
- 0x1018d:$a: NanoCore
- 0xff54:$b: ClientPlugin
- 0x10156:$b: ClientPlugin
- 0x10196:$b: ClientPlugin
- 0x1007b:$c: ProjectData
- 0x10a82:$d: DESCrypto
- 0x1844e:$e: KeepAlive
- 0x1643c:$g: LogClientMessage
- 0x12637:$i: get_Connected
- 0x10db8:$j: #=q
- 0x10de8:$j: #=q
- 0x10e04:$j: #=q
- 0x10e34:$j: #=q
- 0x10e50:$j: #=q
- 0x10e6c:$j: #=q
- 0x10e9c:$j: #=q
- 0x10eb8:$j: #=q
|
| 33.2.InstallUtil.exe.400000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 33.2.InstallUtil.exe.400000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 33.2.InstallUtil.exe.400000.0.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 32.2.InstallUtil.exe.3faff34.3.raw.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0xf7ad:$x1: NanoCore.ClientPluginHost
- 0x28261:$x1: NanoCore.ClientPluginHost
- 0xf7da:$x2: IClientNetworkHost
- 0x2828e:$x2: IClientNetworkHost
|
| 32.2.InstallUtil.exe.3faff34.3.raw.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xf7ad:$x2: NanoCore.ClientPluginHost
- 0x28261:$x2: NanoCore.ClientPluginHost
- 0x10888:$s4: PipeCreated
- 0x2933c:$s4: PipeCreated
- 0xf7c7:$s5: IClientLoggingHost
- 0x2827b:$s5: IClientLoggingHost
|
| 32.2.InstallUtil.exe.3faff34.3.raw.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 32.2.InstallUtil.exe.3faff34.3.raw.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xf778:$x2: NanoCore.ClientPlugin
- 0x2822c:$x2: NanoCore.ClientPlugin
- 0xf7ad:$x3: NanoCore.ClientPluginHost
- 0x28261:$x3: NanoCore.ClientPluginHost
- 0xf76c:$i2: IClientData
- 0x28220:$i2: IClientData
- 0xf78e:$i3: IClientNetwork
- 0x28242:$i3: IClientNetwork
- 0xf79d:$i5: IClientDataHost
- 0x28251:$i5: IClientDataHost
- 0xf7c7:$i6: IClientLoggingHost
- 0x2827b:$i6: IClientLoggingHost
- 0xf7da:$i7: IClientNetworkHost
- 0x2828e:$i7: IClientNetworkHost
- 0xf7ed:$i8: IClientUIHost
- 0x282a1:$i8: IClientUIHost
- 0xf7fb:$i9: IClientNameObjectCollection
- 0x282af:$i9: IClientNameObjectCollection
- 0xf817:$i10: IClientReadOnlyNameObjectCollection
- 0x282cb:$i10: IClientReadOnlyNameObjectCollection
- 0xf56a:$s1: ClientPlugin
|
| 12.3.Qqsucntzxgqwkiqkvrafiufflip.exe.3f30b50.0.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91c8:$s3: QW1zaVNjYW5CdWZmZXI
- 0x65b00:$s4: VmlydHVhbFByb3RlY3Q
|
| 14.0.InstallUtil.exe.400000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 14.0.InstallUtil.exe.400000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 14.0.InstallUtil.exe.400000.0.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 16.2.Qjarsxlh.exe.59f0000.4.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91e4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x56f51:$s4: VmlydHVhbFByb3RlY3Q
|
| 0.2.TM57812337.exe.3637b90.3.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 0.2.TM57812337.exe.3637b90.3.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 0.2.TM57812337.exe.3637b90.3.raw.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.2e3c86c.1.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0xe38d:$x1: NanoCore.ClientPluginHost
- 0xe3ca:$x2: IClientNetworkHost
- 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.2e3c86c.1.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xe105:$x1: NanoCore Client.exe
- 0xe38d:$x2: NanoCore.ClientPluginHost
- 0xf9c6:$s1: PluginCommand
- 0xf9ba:$s2: FileCommand
- 0x1086b:$s3: PipeExists
- 0xe3b7:$s5: IClientLoggingHost
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.2e3c86c.1.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xe0f5:$x1: NanoCore Client
- 0xe105:$x1: NanoCore Client
- 0xe34d:$x2: NanoCore.ClientPlugin
- 0xe38d:$x3: NanoCore.ClientPluginHost
- 0xe342:$i1: IClientApp
- 0xe363:$i2: IClientData
- 0xe36f:$i3: IClientNetwork
- 0xe37e:$i4: IClientAppHost
- 0xe3a7:$i5: IClientDataHost
- 0xe3b7:$i6: IClientLoggingHost
- 0xe3ca:$i7: IClientNetworkHost
- 0xe3dd:$i8: IClientUIHost
- 0xe3eb:$i9: IClientNameObjectCollection
- 0xe407:$i10: IClientReadOnlyNameObjectCollection
- 0xe154:$s1: ClientPlugin
- 0xe356:$s1: ClientPlugin
- 0xe84a:$s2: EndPoint
- 0xe853:$s3: IPAddress
- 0xe85d:$s4: IPEndPoint
- 0x10293:$s6: get_ClientSettings
- 0x10837:$s7: get_Connected
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.2e3c86c.1.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xe0f5:$a: NanoCore
- 0xe105:$a: NanoCore
- 0xe339:$a: NanoCore
- 0xe34d:$a: NanoCore
- 0xe38d:$a: NanoCore
- 0xe154:$b: ClientPlugin
- 0xe356:$b: ClientPlugin
- 0xe396:$b: ClientPlugin
- 0xe27b:$c: ProjectData
- 0xec82:$d: DESCrypto
- 0x10837:$i: get_Connected
- 0xefb8:$j: #=q
- 0xefe8:$j: #=q
- 0xf004:$j: #=q
- 0xf034:$j: #=q
- 0xf050:$j: #=q
- 0xf06c:$j: #=q
- 0xf09c:$j: #=q
- 0xf0b8:$j: #=q
- 0xf0fc:$j: #=q
- 0xf118:$j: #=q
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.2e3c86c.1.raw.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0x1018d:$x1: NanoCore.ClientPluginHost
- 0x101ca:$x2: IClientNetworkHost
- 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.2e3c86c.1.raw.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xff05:$x1: NanoCore Client.exe
- 0x1018d:$x2: NanoCore.ClientPluginHost
- 0x117c6:$s1: PluginCommand
- 0x117ba:$s2: FileCommand
- 0x1266b:$s3: PipeExists
- 0x101b7:$s5: IClientLoggingHost
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.2e3c86c.1.raw.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xfef5:$x1: NanoCore Client
- 0xff05:$x1: NanoCore Client
- 0x1014d:$x2: NanoCore.ClientPlugin
- 0x1018d:$x3: NanoCore.ClientPluginHost
- 0x10142:$i1: IClientApp
- 0x10163:$i2: IClientData
- 0x1016f:$i3: IClientNetwork
- 0x1017e:$i4: IClientAppHost
- 0x101a7:$i5: IClientDataHost
- 0x101b7:$i6: IClientLoggingHost
- 0x101ca:$i7: IClientNetworkHost
- 0x101dd:$i8: IClientUIHost
- 0x101eb:$i9: IClientNameObjectCollection
- 0x10207:$i10: IClientReadOnlyNameObjectCollection
- 0xff54:$s1: ClientPlugin
- 0x10156:$s1: ClientPlugin
- 0x1064a:$s2: EndPoint
- 0x10653:$s3: IPAddress
- 0x1065d:$s4: IPEndPoint
- 0x12093:$s6: get_ClientSettings
- 0x12637:$s7: get_Connected
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.2e3c86c.1.raw.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xfef5:$a: NanoCore
- 0xff05:$a: NanoCore
- 0x10139:$a: NanoCore
- 0x1014d:$a: NanoCore
- 0x1018d:$a: NanoCore
- 0xff54:$b: ClientPlugin
- 0x10156:$b: ClientPlugin
- 0x10196:$b: ClientPlugin
- 0x1007b:$c: ProjectData
- 0x10a82:$d: DESCrypto
- 0x12637:$i: get_Connected
- 0x10db8:$j: #=q
- 0x10de8:$j: #=q
- 0x10e04:$j: #=q
- 0x10e34:$j: #=q
- 0x10e50:$j: #=q
- 0x10e6c:$j: #=q
- 0x10e9c:$j: #=q
- 0x10eb8:$j: #=q
- 0x10efc:$j: #=q
- 0x10f18:$j: #=q
|
| 15.2.Qjarsxlh.exe.4417b90.3.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 15.2.Qjarsxlh.exe.4417b90.3.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 15.2.Qjarsxlh.exe.4417b90.3.raw.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3e8d340.4.raw.unpack | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth | - 0x1018d:$x1: NanoCore.ClientPluginHost
- 0x381ad:$x1: NanoCore.ClientPluginHost
- 0x101ca:$x2: IClientNetworkHost
- 0x381ea:$x2: IClientNetworkHost
- 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
- 0x3bd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3e8d340.4.raw.unpack | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth | - 0xff05:$x1: NanoCore Client.exe
- 0x37f25:$x1: NanoCore Client.exe
- 0x1018d:$x2: NanoCore.ClientPluginHost
- 0x381ad:$x2: NanoCore.ClientPluginHost
- 0x117c6:$s1: PluginCommand
- 0x397e6:$s1: PluginCommand
- 0x117ba:$s2: FileCommand
- 0x397da:$s2: FileCommand
- 0x1266b:$s3: PipeExists
- 0x3a68b:$s3: PipeExists
- 0x18422:$s4: PipeCreated
- 0x40442:$s4: PipeCreated
- 0x101b7:$s5: IClientLoggingHost
- 0x381d7:$s5: IClientLoggingHost
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3e8d340.4.raw.unpack | JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | |
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3e8d340.4.raw.unpack | MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen | - 0xfef5:$x1: NanoCore Client
- 0xff05:$x1: NanoCore Client
- 0x37f15:$x1: NanoCore Client
- 0x37f25:$x1: NanoCore Client
- 0x1014d:$x2: NanoCore.ClientPlugin
- 0x3816d:$x2: NanoCore.ClientPlugin
- 0x1018d:$x3: NanoCore.ClientPluginHost
- 0x381ad:$x3: NanoCore.ClientPluginHost
- 0x10142:$i1: IClientApp
- 0x38162:$i1: IClientApp
- 0x10163:$i2: IClientData
- 0x38183:$i2: IClientData
- 0x1016f:$i3: IClientNetwork
- 0x3818f:$i3: IClientNetwork
- 0x1017e:$i4: IClientAppHost
- 0x3819e:$i4: IClientAppHost
- 0x101a7:$i5: IClientDataHost
- 0x381c7:$i5: IClientDataHost
- 0x101b7:$i6: IClientLoggingHost
- 0x381d7:$i6: IClientLoggingHost
- 0x101ca:$i7: IClientNetworkHost
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.3e8d340.4.raw.unpack | NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> | - 0xfef5:$a: NanoCore
- 0xff05:$a: NanoCore
- 0x10139:$a: NanoCore
- 0x1014d:$a: NanoCore
- 0x1018d:$a: NanoCore
- 0x37f15:$a: NanoCore
- 0x37f25:$a: NanoCore
- 0x38159:$a: NanoCore
- 0x3816d:$a: NanoCore
- 0x381ad:$a: NanoCore
- 0xff54:$b: ClientPlugin
- 0x10156:$b: ClientPlugin
- 0x10196:$b: ClientPlugin
- 0x37f74:$b: ClientPlugin
- 0x38176:$b: ClientPlugin
- 0x381b6:$b: ClientPlugin
- 0x1007b:$c: ProjectData
- 0x3809b:$c: ProjectData
- 0x10a82:$d: DESCrypto
- 0x38aa2:$d: DESCrypto
- 0x1844e:$e: KeepAlive
|
| 14.0.InstallUtil.exe.400000.3.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 14.0.InstallUtil.exe.400000.3.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 14.0.InstallUtil.exe.400000.3.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 0.2.TM57812337.exe.3637b90.3.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 0.2.TM57812337.exe.3637b90.3.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 0.2.TM57812337.exe.3637b90.3.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x30d4c:$s10: logins
- 0x307b3:$s11: credential
- 0x2cd9d:$g1: get_Clipboard
- 0x2cdab:$g2: get_Keyboard
- 0x2cdb8:$g3: get_Password
- 0x2e0a4:$g4: get_CtrlKeyDown
- 0x2e0b4:$g5: get_ShiftKeyDown
- 0x2e0c5:$g6: get_AltKeyDown
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.5cd0000.6.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0x91c8:$s3: QW1zaVNjYW5CdWZmZXI
- 0x65b00:$s4: VmlydHVhbFByb3RlY3Q
|
| 12.3.Qqsucntzxgqwkiqkvrafiufflip.exe.3ef0b30.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafc8:$s3: QW1zaVNjYW5CdWZmZXI
- 0x4afe8:$s3: QW1zaVNjYW5CdWZmZXI
- 0xa7920:$s4: VmlydHVhbFByb3RlY3Q
|
| 12.2.Qqsucntzxgqwkiqkvrafiufflip.exe.5cd0000.6.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafc8:$s3: QW1zaVNjYW5CdWZmZXI
- 0x67900:$s4: VmlydHVhbFByb3RlY3Q
|
| 14.0.InstallUtil.exe.400000.2.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 14.0.InstallUtil.exe.400000.2.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 14.0.InstallUtil.exe.400000.2.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 33.0.InstallUtil.exe.400000.3.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
| 33.0.InstallUtil.exe.400000.3.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
| 33.0.InstallUtil.exe.400000.3.unpack | MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen | - 0x32b4c:$s10: logins
- 0x325b3:$s11: credential
- 0x2eb9d:$g1: get_Clipboard
- 0x2ebab:$g2: get_Keyboard
- 0x2ebb8:$g3: get_Password
- 0x2fea4:$g4: get_CtrlKeyDown
- 0x2feb4:$g5: get_ShiftKeyDown
- 0x2fec5:$g6: get_AltKeyDown
|
| 0.3.TM57812337.exe.36a8e60.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x4b004:$s3: QW1zaVNjYW5CdWZmZXI
- 0x98d71:$s4: VmlydHVhbFByb3RlY3Q
|
| 0.3.TM57812337.exe.3688e40.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x2b004:$s3: QW1zaVNjYW5CdWZmZXI
- 0x6b024:$s3: QW1zaVNjYW5CdWZmZXI
- 0xb8d91:$s4: VmlydHVhbFByb3RlY3Q
|
| 12.3.Qqsucntzxgqwkiqkvrafiufflip.exe.3fb0b70.4.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
| 12.3.Qqsucntzxgqwkiqkvrafiufflip.exe.3fb0b70.4.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafc8:$s3: QW1zaVNjYW5CdWZmZXI
- 0x67900:$s4: VmlydHVhbFByb3RlY3Q
|
| 15.3.Qjarsxlh.exe.4468e40.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x2b004:$s3: QW1zaVNjYW5CdWZmZXI
- 0x6b024:$s3: QW1zaVNjYW5CdWZmZXI
- 0xb8d91:$s4: VmlydHVhbFByb3RlY3Q
|
| 0.3.TM57812337.exe.3768ea0.3.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
| 0.3.TM57812337.exe.3768ea0.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen | - 0xafe4:$s3: QW1zaVNjYW5CdWZmZXI
- 0x58d51:$s4: VmlydHVhbFByb3RlY3Q
|
| Click to see the 176 entries |
Edit tour
TM57812337.exe (PID: 6460 cmdline: 
cmd.exe (PID: 6956 cmdline: 
timeout.exe (PID: 7000 cmdline: 
