Edit tour

Windows Analysis Report
SdwkQEBnc3.exe

Overview

General Information

Sample Name:	SdwkQEBnc3.exe
Analysis ID:	709347
MD5:	33851c19216f0e65db0aecc27dc71ffc
SHA1:	0ad881c7d507bea247bfe454e29bc645f3d1b4ac
SHA256:	d3c3718f2106aca6ed10bb92ec37e99bcadd8536f499af4de3849625a0a1c109
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Machine Learning detection for sample

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Classification

Process Tree

System is w10x64

SdwkQEBnc3.exe (PID: 5128 cmdline: "C:\Users\user\Desktop\SdwkQEBnc3.exe" MD5: 33851C19216F0E65DB0AECC27DC71FFC)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "7fd0fb12-397b-455a-940b-bef9261b", "Group": "kurban", "Domain1": "eu-central-7075.packetriot.net", "Domain2": "127.0.0.1", "Port": 22378, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SdwkQEBnc3.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
SdwkQEBnc3.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
SdwkQEBnc3.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
SdwkQEBnc3.exe	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
SdwkQEBnc3.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
SdwkQEBnc3.exe	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x33cd:$a: NanoCore 0x3426:$a: NanoCore 0x3463:$a: NanoCore 0x34dc:$a: NanoCore 0x16b87:$a: NanoCore 0x16b9c:$a: NanoCore 0x16bd1:$a: NanoCore 0x2f643:$a: NanoCore 0x2f658:$a: NanoCore 0x2f68d:$a: NanoCore 0x342f:$b: ClientPlugin 0x346c:$b: ClientPlugin 0x3d6a:$b: ClientPlugin 0x3d77:$b: ClientPlugin 0x16943:$b: ClientPlugin 0x1695e:$b: ClientPlugin 0x1698e:$b: ClientPlugin 0x16ba5:$b: ClientPlugin 0x16bda:$b: ClientPlugin 0x2f3ff:$b: ClientPlugin 0x2f41a:$b: ClientPlugin
00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3463:$a1: NanoCore.ClientPluginHost 0x16bd1:$a1: NanoCore.ClientPluginHost 0x2f68d:$a1: NanoCore.ClientPluginHost 0x3426:$a2: NanoCore.ClientPlugin 0x16b9c:$a2: NanoCore.ClientPlugin 0x2f658:$a2: NanoCore.ClientPlugin 0x37fa:$b1: get_BuilderSettings 0x1bb17:$b1: get_BuilderSettings 0x345d3:$b1: get_BuilderSettings 0x34b1:$b4: IClientAppHost 0x386b:$b6: AddHostEntry 0x38da:$b7: LogClientException 0x1ba86:$b7: LogClientException 0x34542:$b7: LogClientException 0x384f:$b8: PipeExists 0x349e:$b9: IClientLoggingHost 0x16beb:$b9: IClientLoggingHost 0x2f6a7:$b9: IClientLoggingHost
00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000000.00000002.508672696.00000000035F1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x115f9:$a1: NanoCore.ClientPluginHost 0x115bc:$a2: NanoCore.ClientPlugin 0x11990:$b1: get_BuilderSettings 0x11647:$b4: IClientAppHost 0x11a01:$b6: AddHostEntry 0x11a70:$b7: LogClientException 0x119e5:$b8: PipeExists 0x11634:$b9: IClientLoggingHost
Process Memory Space: SdwkQEBnc3.exe PID: 5128	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16be:$x1: NanoCore.ClientPluginHost 0x16375:$x1: NanoCore.ClientPluginHost 0xafcae:$x1: NanoCore.ClientPluginHost 0xe3c08:$x1: NanoCore.ClientPluginHost 0xfe565:$x1: NanoCore.ClientPluginHost 0x16d8:$x2: IClientNetworkHost 0x163b2:$x2: IClientNetworkHost 0xafcdb:$x2: IClientNetworkHost 0xe3c22:$x2: IClientNetworkHost 0xfe57f:$x2: IClientNetworkHost 0x19ea3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x24f29:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: SdwkQEBnc3.exe PID: 5128	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: SdwkQEBnc3.exe PID: 5128	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1628:$a: NanoCore 0x1681:$a: NanoCore 0x16be:$a: NanoCore 0x1737:$a: NanoCore 0x1ff0:$a: NanoCore 0x2043:$a: NanoCore 0x207c:$a: NanoCore 0x20ef:$a: NanoCore 0x96c1:$a: NanoCore 0x96d4:$a: NanoCore 0x9706:$a: NanoCore 0xeee4:$a: NanoCore 0xeef7:$a: NanoCore 0xef29:$a: NanoCore 0x16042:$a: NanoCore 0x16052:$a: NanoCore 0x16111:$a: NanoCore 0x16120:$a: NanoCore 0x16321:$a: NanoCore 0x16335:$a: NanoCore 0x16375:$a: NanoCore
Process Memory Space: SdwkQEBnc3.exe PID: 5128	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16be:$a1: NanoCore.ClientPluginHost 0x16375:$a1: NanoCore.ClientPluginHost 0xafcae:$a1: NanoCore.ClientPluginHost 0xe3c08:$a1: NanoCore.ClientPluginHost 0xfe565:$a1: NanoCore.ClientPluginHost 0x1681:$a2: NanoCore.ClientPlugin 0x16335:$a2: NanoCore.ClientPlugin 0xafc79:$a2: NanoCore.ClientPlugin 0xe3bcb:$a2: NanoCore.ClientPlugin 0xfe528:$a2: NanoCore.ClientPlugin 0x1a38:$b1: get_BuilderSettings 0x1824c:$b1: get_BuilderSettings 0xb4a80:$b1: get_BuilderSettings 0xe3f6e:$b1: get_BuilderSettings 0xfe8df:$b1: get_BuilderSettings 0x160f6:$b2: ClientLoaderForm.resources 0x1796c:$b3: PluginCommand 0x170c:$b4: IClientAppHost 0x16366:$b4: IClientAppHost 0xe3c56:$b4: IClientAppHost 0xfe5b3:$b4: IClientAppHost
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SdwkQEBnc3.exe.463e424.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
0.2.SdwkQEBnc3.exe.463e424.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
0.2.SdwkQEBnc3.exe.463e424.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SdwkQEBnc3.exe.463e424.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
0.2.SdwkQEBnc3.exe.463e424.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
0.0.SdwkQEBnc3.exe.f10000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.0.SdwkQEBnc3.exe.f10000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.0.SdwkQEBnc3.exe.f10000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.SdwkQEBnc3.exe.f10000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.0.SdwkQEBnc3.exe.f10000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.0.SdwkQEBnc3.exe.f10000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c40:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c6d:$x2: IClientNetworkHost
0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c40:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d1b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c5a:$s5: IClientLoggingHost
0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c0b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c40:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23bff:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c21:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c30:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c5a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c6d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c80:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23c8e:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23caa:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x23c40:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x23c0b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x28b86:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x28af5:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x23c5a:$b9: IClientLoggingHost
0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d09f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0cc:$x2: IClientNetworkHost
0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d09f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e17a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0b9:$s5: IClientLoggingHost
0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d06a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d09f:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d05e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d080:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d08f:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0b9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d055:$a: NanoCore 0x2d06a:$a: NanoCore 0x2d09f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce11:$b: ClientPlugin 0x2ce2c:$b: ClientPlugin
0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d09f:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d06a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x31fe5:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x31f54:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d0b9:$b9: IClientLoggingHost
0.2.SdwkQEBnc3.exe.5e30000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
0.2.SdwkQEBnc3.exe.5e30000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
0.2.SdwkQEBnc3.exe.5e30000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SdwkQEBnc3.exe.5e30000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
0.2.SdwkQEBnc3.exe.5e30000.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28269:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28296:$x2: IClientNetworkHost
0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28269:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29344:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28283:$s5: IClientLoggingHost
0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28234:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28269:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28228:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2824a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28259:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x28283:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x28296:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282a9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282b7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282d3:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28269:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28234:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d1af:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d11e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x28283:$b9: IClientLoggingHost
0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
Click to see the 45 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SdwkQEBnc3.exe, ProcessId: 5128, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SdwkQEBnc3.exe, ProcessId: 5128, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SdwkQEBnc3.exe, ProcessId: 5128, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SdwkQEBnc3.exe, ProcessId: 5128, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649729223782025019 09/25/22-10:39:19.021240
SID:	2025019
Source Port:	49729
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649708223782025019 09/25/22-10:37:58.335400
SID:	2025019
Source Port:	49708
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649719223782025019 09/25/22-10:38:45.572488
SID:	2025019
Source Port:	49719
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649728223782025019 09/25/22-10:39:13.005416
SID:	2025019
Source Port:	49728
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649723223782025019 09/25/22-10:39:06.622577
SID:	2025019
Source Port:	49723
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649709223782025019 09/25/22-10:38:04.391752
SID:	2025019
Source Port:	49709
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649712223782025019 09/25/22-10:38:11.114012
SID:	2025019
Source Port:	49712
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649723223782816766 09/25/22-10:39:08.421800
SID:	2816766
Source Port:	49723
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649733223782816766 09/25/22-10:39:42.564776
SID:	2816766
Source Port:	49733
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649712223782816766 09/25/22-10:38:14.198704
SID:	2816766
Source Port:	49712
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649737223782025019 09/25/22-10:39:46.930085
SID:	2025019
Source Port:	49737
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649716223782025019 09/25/22-10:38:33.571963
SID:	2025019
Source Port:	49716
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649717223782025019 09/25/22-10:38:39.534899
SID:	2025019
Source Port:	49717
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649708223782816718 09/25/22-10:37:59.384612
SID:	2816718
Source Port:	49708
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649716223782816766 09/25/22-10:38:35.293304
SID:	2816766
Source Port:	49716
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649737223782816766 09/25/22-10:39:48.190268
SID:	2816766
Source Port:	49737
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649729223782816766 09/25/22-10:39:20.875554
SID:	2816766
Source Port:	49729
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649719223782816766 09/25/22-10:38:47.309965
SID:	2816766
Source Port:	49719
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649708223782816766 09/25/22-10:38:00.056144
SID:	2816766
Source Port:	49708
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649717223782816766 09/25/22-10:38:41.356311
SID:	2816766
Source Port:	49717
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649728223782816766 09/25/22-10:39:14.776089
SID:	2816766
Source Port:	49728
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649741223782816766 09/25/22-10:39:54.862352
SID:	2816766
Source Port:	49741
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649723223782816718 09/25/22-10:39:07.608396
SID:	2816718
Source Port:	49723
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649733223782025019 09/25/22-10:39:40.736255
SID:	2025019
Source Port:	49733
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649709223782816766 09/25/22-10:38:06.120867
SID:	2816766
Source Port:	49709
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 167.71.56.116

Timestamp:	192.168.2.3167.71.56.11649741223782025019 09/25/22-10:39:53.012867
SID:	2025019
Source Port:	49741
Destination Port:	22378
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SdwkQEBnc3.exe	ReversingLabs: Detection: 100%
Source: SdwkQEBnc3.exe	Virustotal: Detection: 83%	Perma Link
Source: SdwkQEBnc3.exe	Metadefender: Detection: 94%	Perma Link

Antivirus / Scanner detection for submitted sample

Source: SdwkQEBnc3.exe

Avira: detected

Antivirus detection for URL or domain

Source: eu-central-7075.packetriot.net

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: eu-central-7075.packetriot.net	Virustotal: Detection: 10%			Perma Link
Source: eu-central-7075.packetriot.net	Virustotal: Detection: 10%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: SdwkQEBnc3.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SdwkQEBnc3.exe PID: 5128, type: MEMORYSTR

Machine Learning detection for sample

Source: SdwkQEBnc3.exe

Joe Sandbox ML: detected

Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack	Avira: Label: TR/NanoCore.fadte

Source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7fd0fb12-397b-455a-940b-bef9261b", "Group": "kurban", "Domain1": "eu-central-7075.packetriot.net", "Domain2": "127.0.0.1", "Port": 22378, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Source: SdwkQEBnc3.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49708 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49708 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49708 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49709 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49709 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49712 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49712 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49716 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49716 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49717 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49717 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49719 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49719 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49723 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49723 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49723 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49728 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49729 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49733 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49737 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 167.71.56.116:22378
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49741 -> 167.71.56.116:22378

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: eu-central-7075.packetriot.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View

IP Address: 167.71.56.116 167.71.56.116

Source: global traffic

TCP traffic: 192.168.2.3:49708 -> 167.71.56.116:22378

Source: unknown

DNS traffic detected: queries for: eu-central-7075.packetriot.net

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

Code function: 0_2_05832CD2 WSARecv,

Source: SdwkQEBnc3.exe, 00000000.00000002.506539476.00000000015AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: SdwkQEBnc3.exe, 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: SdwkQEBnc3.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SdwkQEBnc3.exe PID: 5128, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: SdwkQEBnc3.exe, type: SAMPLE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: SdwkQEBnc3.exe, type: SAMPLE	Matched rule: Detects NanoCore Author: ditekSHen
Source: SdwkQEBnc3.exe, type: SAMPLE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: SdwkQEBnc3.exe, type: SAMPLE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.508672696.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: SdwkQEBnc3.exe PID: 5128, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SdwkQEBnc3.exe PID: 5128, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SdwkQEBnc3.exe PID: 5128, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: SdwkQEBnc3.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SdwkQEBnc3.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: SdwkQEBnc3.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: SdwkQEBnc3.exe, type: SAMPLE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: SdwkQEBnc3.exe, type: SAMPLE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: SdwkQEBnc3.exe, type: SAMPLE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.SdwkQEBnc3.exe.5a80000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.SdwkQEBnc3.exe.3601784.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.508672696.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: SdwkQEBnc3.exe PID: 5128, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: SdwkQEBnc3.exe PID: 5128, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SdwkQEBnc3.exe PID: 5128, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_0570AD38
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_05708468
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_05709068
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_057023A0
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_05702FA8
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_0570912F
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_05709910
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_0570306F
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_0570937B

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_05831642 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_05831607 NtQuerySystemInformation,

Source: SdwkQEBnc3.exe, 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs SdwkQEBnc3.exe
Source: SdwkQEBnc3.exe, 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs SdwkQEBnc3.exe
Source: SdwkQEBnc3.exe, 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SdwkQEBnc3.exe
Source: SdwkQEBnc3.exe, 00000000.00000002.513932324.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs SdwkQEBnc3.exe
Source: SdwkQEBnc3.exe, 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs SdwkQEBnc3.exe
Source: SdwkQEBnc3.exe, 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SdwkQEBnc3.exe
Source: SdwkQEBnc3.exe, 00000000.00000002.508672696.00000000035F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs SdwkQEBnc3.exe
Source: SdwkQEBnc3.exe, 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs SdwkQEBnc3.exe
Source: SdwkQEBnc3.exe, 00000000.00000002.506539476.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs SdwkQEBnc3.exe

Source: SdwkQEBnc3.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9997098214285715

Source: SdwkQEBnc3.exe	ReversingLabs: Detection: 100%
Source: SdwkQEBnc3.exe	Virustotal: Detection: 83%
Source: SdwkQEBnc3.exe	Metadefender: Detection: 94%

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

File read: C:\Users\user\Desktop\SdwkQEBnc3.exe

Jump to behavior

Source: SdwkQEBnc3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_05831402 AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_058313CB AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/1@12/3

Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: SdwkQEBnc3.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: SdwkQEBnc3.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: SdwkQEBnc3.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7fd0fb12-397b-455a-940b-bef9261bdda7}
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: SdwkQEBnc3.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: SdwkQEBnc3.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SdwkQEBnc3.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: SdwkQEBnc3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Data Obfuscation

.NET source code contains potential unpacker

Source: SdwkQEBnc3.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: SdwkQEBnc3.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: SdwkQEBnc3.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: SdwkQEBnc3.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

File opened: C:\Users\user\Desktop\SdwkQEBnc3.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe TID: 5140	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe TID: 5156	Thread sleep time: -280000s >= -30000s

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Window / User API: threadDelayed 397
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Window / User API: foregroundWindowGot 1237

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

Code function: 0_2_0583112A GetSystemInfo,

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

Thread delayed: delay time: 922337203685477

Source: SdwkQEBnc3.exe, 00000000.00000003.252232280.0000000001671000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.404164699.0000000001671000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.251082376.0000000001671000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.463806944.0000000001671000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.479435315.0000000001671000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.245467170.0000000001671000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.251568865.0000000001671000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.256553111.0000000001671000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.254004502.0000000001671000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.245695919.0000000001671000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: SdwkQEBnc3.exe, 00000000.00000003.243210520.000000000166A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

Memory allocated: page read and write | page guard

Source: SdwkQEBnc3.exe, 00000000.00000003.463798700.000000000166B000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.419327218.0000000001667000.00000004.00000020.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000003.475818393.000000000166A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerh
Source: SdwkQEBnc3.exe, 00000000.00000002.511063942.0000000003818000.00000004.00000800.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000002.511340676.0000000003868000.00000004.00000800.00020000.00000000.sdmp, SdwkQEBnc3.exe, 00000000.00000002.510520358.0000000003762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SdwkQEBnc3.exe, 00000000.00000002.509324331.000000000367C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp
Source: SdwkQEBnc3.exe, 00000000.00000002.510520358.0000000003762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: SdwkQEBnc3.exe, 00000000.00000002.507614889.0000000001615000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: SdwkQEBnc3.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SdwkQEBnc3.exe PID: 5128, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: SdwkQEBnc3.exe, 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: SdwkQEBnc3.exe, 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: SdwkQEBnc3.exe, 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: SdwkQEBnc3.exe, 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: SdwkQEBnc3.exe, 00000000.00000002.508672696.00000000035F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: SdwkQEBnc3.exe, 00000000.00000002.508672696.00000000035F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: SdwkQEBnc3.exe, 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: SdwkQEBnc3.exe, 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: SdwkQEBnc3.exe	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: SdwkQEBnc3.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.463e424.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e34629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SdwkQEBnc3.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.4642a4d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.46395ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.5e30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SdwkQEBnc3.exe.463e424.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SdwkQEBnc3.exe PID: 5128, type: MEMORYSTR

Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_05832816 bind,
Source: C:\Users\user\Desktop\SdwkQEBnc3.exe	Code function: 0_2_058327C4 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	1 Masquerading	21 Input Capture	1 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Process Injection	LSA Secrets	3 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Non-Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	11 Application Layer Protocol	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SdwkQEBnc3.exe	100%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
SdwkQEBnc3.exe	83%	Virustotal		Browse
SdwkQEBnc3.exe	94%	Metadefender		Browse
SdwkQEBnc3.exe	100%	Avira	TR/Dropper.MSIL.Gen7
SdwkQEBnc3.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.SdwkQEBnc3.exe.f10000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
0.2.SdwkQEBnc3.exe.5e30000.6.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
eu-central-7075.packetriot.net	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
eu-central-7075.packetriot.net	10%	Virustotal		Browse
127.0.0.1	1%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe
eu-central-7075.packetriot.net	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
eu-central-7075.packetriot.net	167.71.56.116	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
eu-central-7075.packetriot.net	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
127.0.0.1	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
167.71.56.116	eu-central-7075.packetriot.net	United States		14061	DIGITALOCEAN-ASNUS	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	709347
Start date and time:	2022-09-25 10:37:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SdwkQEBnc3.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/1@12/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:37:58	API Interceptor	1016x Sleep call for process: SdwkQEBnc3.exe modified

Process:	C:\Users\user\Desktop\SdwkQEBnc3.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Uk/tn:Ukl
MD5:	2AC74D46D23C202B8D77F932CE807595
SHA1:	E9FAFC5726FBF9B21A51370F5CB9ED07481F6C39
SHA-256:	982CB56995CCC98B0B3117C4123E053DC19903F3D41F9F3E5C036629B809E046
SHA-512:	A25513343E660EB82278A36E1B96DEA9A334F16D62D79E165EE1A9AEB49CE3AD594460161A0EEE6FD33AE5D2A94C63D758C342F421231D1669A2B5534C035627
Malicious:	true
Reputation:	low
Preview:	..j....H

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.448162265044309
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SdwkQEBnc3.exe
File size:	207360
MD5:	33851c19216f0e65db0aecc27dc71ffc
SHA1:	0ad881c7d507bea247bfe454e29bc645f3d1b4ac
SHA256:	d3c3718f2106aca6ed10bb92ec37e99bcadd8536f499af4de3849625a0a1c109
SHA512:	beb70bc68603bc8722656297c7bab35fd15ba7a2d91520f22ea00b2d021ee171c38917d0ddd0bb50e752294c20bd2a257da7623c464252cde4f490c5b66af708
SSDEEP:	6144:gLV6Bta6dtJmakIM5XQa2WCE085Qe6nGH:gLV6Btpmk22Wd085GnC
TLSH:	6C14CF5677A94A2FE1DE89B9711241038378C2E7A8D3F3EF28D425B69F267E006471D3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. .....................................................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x41e792
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e738	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x15d90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1c798	0x1c800	False	0.594495271381579	data	6.598046369910041	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x20000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x15d90	0x15e00	False	0.9997098214285715	data	7.997673261620719	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x22058	0x15d38	TIM image, (2595,61413)

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3167.71.56.11649729223782025019 09/25/22-10:39:19.021240	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49729	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649708223782025019 09/25/22-10:37:58.335400	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49708	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649719223782025019 09/25/22-10:38:45.572488	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49719	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649728223782025019 09/25/22-10:39:13.005416	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649723223782025019 09/25/22-10:39:06.622577	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649709223782025019 09/25/22-10:38:04.391752	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49709	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649712223782025019 09/25/22-10:38:11.114012	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49712	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649723223782816766 09/25/22-10:39:08.421800	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49723	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649733223782816766 09/25/22-10:39:42.564776	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49733	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649712223782816766 09/25/22-10:38:14.198704	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49712	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649737223782025019 09/25/22-10:39:46.930085	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49737	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649716223782025019 09/25/22-10:38:33.571963	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49716	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649717223782025019 09/25/22-10:38:39.534899	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49717	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649708223782816718 09/25/22-10:37:59.384612	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49708	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649716223782816766 09/25/22-10:38:35.293304	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49716	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649737223782816766 09/25/22-10:39:48.190268	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49737	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649729223782816766 09/25/22-10:39:20.875554	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49729	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649719223782816766 09/25/22-10:38:47.309965	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49719	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649708223782816766 09/25/22-10:38:00.056144	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49708	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649717223782816766 09/25/22-10:38:41.356311	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49717	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649728223782816766 09/25/22-10:39:14.776089	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49728	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649741223782816766 09/25/22-10:39:54.862352	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49741	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649723223782816718 09/25/22-10:39:07.608396	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49723	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649733223782025019 09/25/22-10:39:40.736255	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49733	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649709223782816766 09/25/22-10:38:06.120867	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49709	22378	192.168.2.3	167.71.56.116
192.168.2.3167.71.56.11649741223782025019 09/25/22-10:39:53.012867	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	22378	192.168.2.3	167.71.56.116

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2022 10:37:58.264648914 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:58.296509027 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:58.296634912 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:58.335400105 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:58.366008043 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:58.415612936 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:58.446237087 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:58.477843046 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:58.508677006 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:58.603470087 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:58.635688066 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:58.673021078 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:58.703991890 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:58.822587967 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:58.855446100 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:58.883898973 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:58.914707899 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:59.009452105 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:59.040250063 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:59.103066921 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:59.133682966 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:59.320054054 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:59.350832939 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:59.384612083 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:59.415494919 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:59.468890905 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:59.499579906 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:59.649624109 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:59.680293083 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:59.712111950 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:59.742652893 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:59.864775896 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:59.895387888 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:37:59.931041002 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:37:59.961791039 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:00.056143999 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:00.127749920 CEST	22378	49708	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:00.182921886 CEST	49708	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:04.354166031 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:04.384440899 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:04.384546041 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:04.391752005 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:04.421927929 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:04.447284937 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:04.477539062 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:04.541570902 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:04.572074890 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:04.681499958 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:04.711612940 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:04.806596994 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:04.837306976 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:04.887413025 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:04.922811031 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:05.010030031 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:05.040236950 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:05.088083982 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:05.118360996 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:05.213840961 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:05.244219065 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:05.353310108 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:05.385812998 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:05.432198048 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:05.464849949 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:05.562103987 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:05.594657898 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:05.689172983 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:05.722748995 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:05.744601965 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:05.777255058 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:05.853795052 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:05.884052038 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:06.009485006 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:06.039866924 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:06.120867014 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:06.190546989 CEST	22378	49709	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:06.259795904 CEST	49709	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:10.947829008 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:10.978771925 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:10.978933096 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:11.114012003 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:11.146862030 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:11.723541021 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:11.754926920 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:11.792958021 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:11.823889971 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:11.902371883 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:11.934346914 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:11.994277000 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:12.025028944 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:12.209912062 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:12.243458033 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:12.278104067 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:12.310245037 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:13.070338964 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:13.101237059 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:13.263070107 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:13.293661118 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:13.369754076 CEST	49712	22378	192.168.2.3	167.71.56.116
Sep 25, 2022 10:38:13.400302887 CEST	22378	49712	167.71.56.116	192.168.2.3
Sep 25, 2022 10:38:13.526094913 CEST	49712	22378	192.168.2.3	167.71.56.116

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2022 10:37:58.214035988 CEST	57990	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:37:58.251596928 CEST	53	57990	8.8.8.8	192.168.2.3
Sep 25, 2022 10:38:04.242063046 CEST	52387	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:38:04.352637053 CEST	53	52387	8.8.8.8	192.168.2.3
Sep 25, 2022 10:38:10.737216949 CEST	60625	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:38:10.921155930 CEST	53	60625	8.8.8.8	192.168.2.3
Sep 25, 2022 10:38:33.491652012 CEST	49302	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:38:33.538759947 CEST	53	49302	8.8.8.8	192.168.2.3
Sep 25, 2022 10:38:39.458796024 CEST	53975	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:38:39.499471903 CEST	53	53975	8.8.8.8	192.168.2.3
Sep 25, 2022 10:38:45.512289047 CEST	52955	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:38:45.532057047 CEST	53	52955	8.8.8.8	192.168.2.3
Sep 25, 2022 10:39:06.505239964 CEST	60582	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:39:06.525190115 CEST	53	60582	8.8.8.8	192.168.2.3
Sep 25, 2022 10:39:12.865638971 CEST	56042	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:39:12.972980976 CEST	53	56042	8.8.8.8	192.168.2.3
Sep 25, 2022 10:39:18.866290092 CEST	59636	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:39:18.976288080 CEST	53	59636	8.8.8.8	192.168.2.3
Sep 25, 2022 10:39:40.596112967 CEST	55638	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:39:40.703140020 CEST	53	55638	8.8.8.8	192.168.2.3
Sep 25, 2022 10:39:46.845093966 CEST	65320	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:39:46.883793116 CEST	53	65320	8.8.8.8	192.168.2.3
Sep 25, 2022 10:39:52.788522005 CEST	60767	53	192.168.2.3	8.8.8.8
Sep 25, 2022 10:39:52.979732990 CEST	53	60767	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2022 10:37:58.214035988 CEST	192.168.2.3	8.8.8.8	0x3869	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:38:04.242063046 CEST	192.168.2.3	8.8.8.8	0xd439	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:38:10.737216949 CEST	192.168.2.3	8.8.8.8	0xce18	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:38:33.491652012 CEST	192.168.2.3	8.8.8.8	0xafc3	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:38:39.458796024 CEST	192.168.2.3	8.8.8.8	0xd21d	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:38:45.512289047 CEST	192.168.2.3	8.8.8.8	0xce32	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:06.505239964 CEST	192.168.2.3	8.8.8.8	0xe731	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:12.865638971 CEST	192.168.2.3	8.8.8.8	0x17be	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:18.866290092 CEST	192.168.2.3	8.8.8.8	0x8e54	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:40.596112967 CEST	192.168.2.3	8.8.8.8	0xffc4	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:46.845093966 CEST	192.168.2.3	8.8.8.8	0x1802	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:52.788522005 CEST	192.168.2.3	8.8.8.8	0xb812	Standard query (0)	eu-central-7075.packetriot.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 25, 2022 10:37:58.251596928 CEST	8.8.8.8	192.168.2.3	0x3869	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:38:04.352637053 CEST	8.8.8.8	192.168.2.3	0xd439	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:38:10.921155930 CEST	8.8.8.8	192.168.2.3	0xce18	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:38:33.538759947 CEST	8.8.8.8	192.168.2.3	0xafc3	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:38:39.499471903 CEST	8.8.8.8	192.168.2.3	0xd21d	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:38:45.532057047 CEST	8.8.8.8	192.168.2.3	0xce32	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:06.525190115 CEST	8.8.8.8	192.168.2.3	0xe731	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:12.972980976 CEST	8.8.8.8	192.168.2.3	0x17be	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:18.976288080 CEST	8.8.8.8	192.168.2.3	0x8e54	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:40.703140020 CEST	8.8.8.8	192.168.2.3	0xffc4	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:46.883793116 CEST	8.8.8.8	192.168.2.3	0x1802	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false
Sep 25, 2022 10:39:52.979732990 CEST	8.8.8.8	192.168.2.3	0xb812	No error (0)	eu-central-7075.packetriot.net	167.71.56.116	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:37:56
Start date:	25/09/2022
Path:	C:\Users\user\Desktop\SdwkQEBnc3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SdwkQEBnc3.exe"
Imagebase:	0xf10000
File size:	207360 bytes
MD5 hash:	33851C19216F0E65DB0AECC27DC71FFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000000.239926624.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.511555903.0000000004637000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.513466163.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.513184324.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.508672696.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SdwkQEBnc3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
SdwkQEBnc3.exe