Edit tour

Windows Analysis Report
new order.exe

Overview

General Information

Sample Name:	new order.exe
Analysis ID:	712322
MD5:	450aa1d2ac8e10a3b8363fe2945462bd
SHA1:	173275f693a10f8919c45dfb21f8035c7bc45fb6
SHA256:	316ff42588b6cf8c5a435efb67d44d08a2d860bab89612fc3e85ec6e9f4b4455
Tags:	exeNanoCore
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Connects to many ports of the same IP (likely port scanning)

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Encrypted powershell cmdline option found

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

new order.exe (PID: 5796 cmdline: "C:\Users\user\Desktop\new order.exe" MD5: 450AA1D2AC8E10A3B8363FE2945462BD)

powershell.exe (PID: 492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

InstallUtil.exe (PID: 2344 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

Luqkasd.exe (PID: 1016 cmdline: "C:\Users\user\AppData\Roaming\Znxqmfqxv\Luqkasd.exe" MD5: 450AA1D2AC8E10A3B8363FE2945462BD)

powershell.exe (PID: 5636 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Luqkasd.exe (PID: 628 cmdline: "C:\Users\user\AppData\Roaming\Znxqmfqxv\Luqkasd.exe" MD5: 450AA1D2AC8E10A3B8363FE2945462BD)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6a8dc68c-2ae6-4a66-b5dc-80cfa679", "Group": "jop", "Domain1": "146.70.76.43", "Domain2": "", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 9, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.527779375.00000000033BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.466623981.000000000427E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.466623981.000000000427E000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2aa65:$a: NanoCore 0x2ac25:$a: NanoCore 0x2d674:$a: NanoCore 0x2d69a:$a: NanoCore 0x2d9cb:$a: NanoCore 0x350aa:$a: NanoCore 0x2d67d:$b: ClientPlugin 0x2d6a3:$b: ClientPlugin 0x2d9d4:$b: ClientPlugin 0x3456b:$c: ProjectData 0x2fd3a:$d: DESCrypto 0x304b5:$e: KeepAlive 0x2f5e7:$g: LogClientMessage 0x2dc43:$i: get_Connected 0x2acf4:$j: #=q 0x2ad38:$j: #=q 0x2ad54:$j: #=q 0x2ad96:$j: #=q 0x2adb2:$j: #=q 0x2adce:$j: #=q 0x2ae26:$j: #=q
00000000.00000002.466623981.000000000427E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2d69a:$a1: NanoCore.ClientPluginHost 0x2d9cb:$a2: NanoCore.ClientPlugin 0x2d6c7:$b1: get_BuilderSettings 0x35047:$b2: ClientLoaderForm.resources 0x2b5d5:$b3: PluginCommand 0x2ddba:$b4: IClientAppHost 0x319bc:$b5: GetBlockHash 0x2dccf:$b6: AddHostEntry 0x2f5d4:$b7: LogClientException 0x2dc90:$b8: PipeExists 0x2dda7:$b9: IClientLoggingHost
0000000F.00000002.527200680.0000000003371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.453841918.0000000003031000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000003.255565605.0000000004056000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.527732524.00000000033B2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000000.450018784.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.450018784.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2a46d:$a: NanoCore 0x2a62d:$a: NanoCore 0x2d07c:$a: NanoCore 0x2d0a2:$a: NanoCore 0x2d3d3:$a: NanoCore 0x34ab2:$a: NanoCore 0x2d085:$b: ClientPlugin 0x2d0ab:$b: ClientPlugin 0x2d3dc:$b: ClientPlugin 0x33f73:$c: ProjectData 0x2f742:$d: DESCrypto 0x2febd:$e: KeepAlive 0x2efef:$g: LogClientMessage 0x2d64b:$i: get_Connected 0x2a6fc:$j: #=q 0x2a740:$j: #=q 0x2a75c:$j: #=q 0x2a79e:$j: #=q 0x2a7ba:$j: #=q 0x2a7d6:$j: #=q 0x2a82e:$j: #=q
0000000E.00000000.450018784.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2d0a2:$a1: NanoCore.ClientPluginHost 0x2d3d3:$a2: NanoCore.ClientPlugin 0x2d0cf:$b1: get_BuilderSettings 0x34a4f:$b2: ClientLoaderForm.resources 0x2afdd:$b3: PluginCommand 0x2d7c2:$b4: IClientAppHost 0x313c4:$b5: GetBlockHash 0x2d6d7:$b6: AddHostEntry 0x2efdc:$b7: LogClientException 0x2d698:$b8: PipeExists 0x2d7af:$b9: IClientLoggingHost
00000000.00000002.467477543.0000000005570000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.464712592.00000000040FB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.464712592.00000000040FB000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x86b15:$a: NanoCore 0x86cd5:$a: NanoCore 0x89724:$a: NanoCore 0x8974a:$a: NanoCore 0x89a7b:$a: NanoCore 0x9115a:$a: NanoCore 0x8972d:$b: ClientPlugin 0x89753:$b: ClientPlugin 0x89a84:$b: ClientPlugin 0x9061b:$c: ProjectData 0x8bdea:$d: DESCrypto 0x8c565:$e: KeepAlive 0x8b697:$g: LogClientMessage 0x89cf3:$i: get_Connected 0x86da4:$j: #=q 0x86de8:$j: #=q 0x86e04:$j: #=q 0x86e46:$j: #=q 0x86e62:$j: #=q 0x86e7e:$j: #=q 0x86ed6:$j: #=q
00000000.00000002.464712592.00000000040FB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8974a:$a1: NanoCore.ClientPluginHost 0x89a7b:$a2: NanoCore.ClientPlugin 0x89777:$b1: get_BuilderSettings 0x910f7:$b2: ClientLoaderForm.resources 0x87685:$b3: PluginCommand 0x89e6a:$b4: IClientAppHost 0x8da6c:$b5: GetBlockHash 0x89d7f:$b6: AddHostEntry 0x8b684:$b7: LogClientException 0x89d40:$b8: PipeExists 0x89e57:$b9: IClientLoggingHost
0000000E.00000002.538529652.0000000005E00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000E.00000002.538529652.0000000005E00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000E.00000002.538529652.0000000005E00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.538529652.0000000005E00000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0000000E.00000002.538529652.0000000005E00000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0000000F.00000002.533387647.00000000035B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000002.527475187.0000000002D29000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5a46d:$a1: NanoCore.ClientPluginHost 0x5a430:$a2: NanoCore.ClientPlugin 0x5a804:$b1: get_BuilderSettings 0x5a4bb:$b4: IClientAppHost 0x5a875:$b6: AddHostEntry 0x5a8e4:$b7: LogClientException 0x5a859:$b8: PipeExists 0x5a4a8:$b9: IClientLoggingHost
0000000E.00000002.533662558.0000000003D29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.533662558.0000000003D29000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x22ee5:$a: NanoCore 0x22f3e:$a: NanoCore 0x22f7b:$a: NanoCore 0x22ff4:$a: NanoCore 0x3669f:$a: NanoCore 0x366b4:$a: NanoCore 0x366e9:$a: NanoCore 0x4f153:$a: NanoCore 0x4f168:$a: NanoCore 0x4f19d:$a: NanoCore 0x22f47:$b: ClientPlugin 0x22f84:$b: ClientPlugin 0x23882:$b: ClientPlugin 0x2388f:$b: ClientPlugin 0x3645b:$b: ClientPlugin 0x36476:$b: ClientPlugin 0x364a6:$b: ClientPlugin 0x366bd:$b: ClientPlugin 0x366f2:$b: ClientPlugin 0x4ef0f:$b: ClientPlugin 0x4ef2a:$b: ClientPlugin
0000000E.00000002.533662558.0000000003D29000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x22f7b:$a1: NanoCore.ClientPluginHost 0x366e9:$a1: NanoCore.ClientPluginHost 0x4f19d:$a1: NanoCore.ClientPluginHost 0x22f3e:$a2: NanoCore.ClientPlugin 0x366b4:$a2: NanoCore.ClientPlugin 0x4f168:$a2: NanoCore.ClientPlugin 0x23312:$b1: get_BuilderSettings 0x3b62f:$b1: get_BuilderSettings 0x540e3:$b1: get_BuilderSettings 0x22fc9:$b4: IClientAppHost 0x23383:$b6: AddHostEntry 0x233f2:$b7: LogClientException 0x3b59e:$b7: LogClientException 0x54052:$b7: LogClientException 0x23367:$b8: PipeExists 0x22fb6:$b9: IClientLoggingHost 0x36703:$b9: IClientLoggingHost 0x4f1b7:$b9: IClientLoggingHost
00000010.00000002.528679468.000000000347F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.466145560.00000000041DD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.466145560.00000000041DD000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2b845:$a: NanoCore 0x2ba05:$a: NanoCore 0x2e454:$a: NanoCore 0x2e47a:$a: NanoCore 0x2e7ab:$a: NanoCore 0x35e8a:$a: NanoCore 0x2e45d:$b: ClientPlugin 0x2e483:$b: ClientPlugin 0x2e7b4:$b: ClientPlugin 0x3534b:$c: ProjectData 0x30b1a:$d: DESCrypto 0x31295:$e: KeepAlive 0x303c7:$g: LogClientMessage 0x2ea23:$i: get_Connected 0x2bad4:$j: #=q 0x2bb18:$j: #=q 0x2bb34:$j: #=q 0x2bb76:$j: #=q 0x2bb92:$j: #=q 0x2bbae:$j: #=q 0x2bc06:$j: #=q
00000000.00000002.466145560.00000000041DD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2e47a:$a1: NanoCore.ClientPluginHost 0x2e7ab:$a2: NanoCore.ClientPlugin 0x2e4a7:$b1: get_BuilderSettings 0x35e27:$b2: ClientLoaderForm.resources 0x2c3b5:$b3: PluginCommand 0x2eb9a:$b4: IClientAppHost 0x3279c:$b5: GetBlockHash 0x2eaaf:$b6: AddHostEntry 0x303b4:$b7: LogClientException 0x2ea70:$b8: PipeExists 0x2eb87:$b9: IClientLoggingHost
00000010.00000002.527935405.000000000343B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.457661334.00000000032A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000002.538073119.0000000005660000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000E.00000002.538073119.0000000005660000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000E.00000002.538073119.0000000005660000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0000000E.00000002.538073119.0000000005660000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000000.00000003.257014991.00000000042E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: new order.exe PID: 5796	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: new order.exe PID: 5796	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: new order.exe PID: 5796	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1dc42:$a: NanoCore 0x1ddfd:$a: NanoCore 0x20828:$a: NanoCore 0x2084e:$a: NanoCore 0x20b7f:$a: NanoCore 0x281b7:$a: NanoCore 0x28360:$a: NanoCore 0x2ab8f:$a: NanoCore 0x2abb2:$a: NanoCore 0x2aec0:$a: NanoCore 0x31e54:$a: NanoCore 0x31eca:$a: NanoCore 0x47318:$a: NanoCore 0x474d3:$a: NanoCore 0x49efe:$a: NanoCore 0x49f24:$a: NanoCore 0x4a255:$a: NanoCore 0x5188d:$a: NanoCore 0x51a36:$a: NanoCore 0x54265:$a: NanoCore 0x54288:$a: NanoCore
Process Memory Space: new order.exe PID: 5796	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2084e:$a1: NanoCore.ClientPluginHost 0x49f24:$a1: NanoCore.ClientPluginHost 0xe2bd6:$a1: NanoCore.ClientPluginHost 0x20b7f:$a2: NanoCore.ClientPlugin 0x4a255:$a2: NanoCore.ClientPlugin 0xe2f07:$a2: NanoCore.ClientPlugin 0x2087b:$b1: get_BuilderSettings 0x49f51:$b1: get_BuilderSettings 0xe2c03:$b1: get_BuilderSettings 0x28175:$b2: ClientLoaderForm.resources 0x5184b:$b2: ClientLoaderForm.resources 0xea4fd:$b2: ClientLoaderForm.resources 0x1e7a3:$b3: PluginCommand 0x47e79:$b3: PluginCommand 0xe0b2b:$b3: PluginCommand 0x20f6e:$b4: IClientAppHost 0x4a644:$b4: IClientAppHost 0xe32f6:$b4: IClientAppHost 0x24b57:$b5: GetBlockHash 0x4e22d:$b5: GetBlockHash 0xe6edf:$b5: GetBlockHash
Process Memory Space: InstallUtil.exe PID: 2344	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 2344	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0b:$a: NanoCore 0xe67:$a: NanoCore 0xeda:$a: NanoCore 0x15b12:$a: NanoCore 0x15ccd:$a: NanoCore 0x186f8:$a: NanoCore 0x1871e:$a: NanoCore 0x18a4f:$a: NanoCore 0x20087:$a: NanoCore 0x20230:$a: NanoCore 0x22a5f:$a: NanoCore 0x22a82:$a: NanoCore 0x22d90:$a: NanoCore 0x29d24:$a: NanoCore 0x29d9a:$a: NanoCore 0x34153:$a: NanoCore 0x34168:$a: NanoCore 0x3419d:$a: NanoCore 0x3931f:$a: NanoCore 0x39332:$a: NanoCore 0x39364:$a: NanoCore
Process Memory Space: InstallUtil.exe PID: 2344	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1871e:$a1: NanoCore.ClientPluginHost 0x3419d:$a1: NanoCore.ClientPluginHost 0x47da1:$a1: NanoCore.ClientPluginHost 0x90a64:$a1: NanoCore.ClientPluginHost 0x18a4f:$a2: NanoCore.ClientPlugin 0x34168:$a2: NanoCore.ClientPlugin 0x47d64:$a2: NanoCore.ClientPlugin 0x90a27:$a2: NanoCore.ClientPlugin 0x1874b:$b1: get_BuilderSettings 0x38f6f:$b1: get_BuilderSettings 0x4811b:$b1: get_BuilderSettings 0x90dde:$b1: get_BuilderSettings 0x20045:$b2: ClientLoaderForm.resources 0x16673:$b3: PluginCommand 0x18e3e:$b4: IClientAppHost 0x47def:$b4: IClientAppHost 0x90ab2:$b4: IClientAppHost 0x1ca27:$b5: GetBlockHash 0x18d53:$b6: AddHostEntry 0x4818c:$b6: AddHostEntry 0x90e4f:$b6: AddHostEntry
Process Memory Space: Luqkasd.exe PID: 1016	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Luqkasd.exe PID: 628	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 40 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.new order.exe.412f488.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5044d:$x1: NanoCore Client.exe 0x50dfd:$s1: PluginCommand 0x50df1:$s2: FileCommand
0.2.new order.exe.5570000.5.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.2.InstallUtil.exe.5e04629.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
14.2.InstallUtil.exe.5e04629.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
14.2.InstallUtil.exe.5e04629.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.InstallUtil.exe.5e04629.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
14.2.InstallUtil.exe.5e04629.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
0.2.new order.exe.5570000.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.3.new order.exe.42e13d0.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.new order.exe.427e3f8.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2d2a2:$x1: NanoCore.ClientPluginHost 0x2d859:$x2: IClientNetworkHost
0.2.new order.exe.427e3f8.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2a82d:$x1: NanoCore Client.exe 0x2d2a2:$x2: NanoCore.ClientPluginHost 0x2b1dd:$s1: PluginCommand 0x2b1d1:$s2: FileCommand 0x2d898:$s3: PipeExists 0x30091:$s4: PipeCreated 0x2d9af:$s5: IClientLoggingHost
0.2.new order.exe.427e3f8.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.new order.exe.427e3f8.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x35012:$s1: file:/// 0x34f20:$s2: {11111-22222-10009-11112} 0x34fa2:$s3: {11111-22222-50001-00000} 0x31af6:$s4: get_Module 0x31f39:$s5: Reverse 0x34749:$s6: BlockCopy 0x34739:$s7: ReadByte 0x35024:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.new order.exe.427e3f8.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2a66d:$x1: NanoCore Client 0x2a82d:$x1: NanoCore Client 0x34cb2:$x1: NanoCore Client 0x2d5d3:$x2: NanoCore.ClientPlugin 0x2d2a2:$x3: NanoCore.ClientPluginHost 0x2d630:$i1: IClientApp 0x2d5c7:$i2: IClientData 0x2d605:$i3: IClientNetwork 0x2d9c2:$i4: IClientAppHost 0x2d292:$i5: IClientDataHost 0x2d9af:$i6: IClientLoggingHost 0x2d859:$i7: IClientNetworkHost 0x2d9a1:$i8: IClientUIHost 0x2d260:$i9: IClientNameObjectCollection 0x2d2e3:$i10: IClientReadOnlyNameObjectCollection 0x2d285:$s1: ClientPlugin 0x2d5dc:$s1: ClientPlugin 0x33f4a:$s2: EndPoint 0x2cc21:$s3: IPAddress 0x3019e:$s4: IPEndPoint 0x2d2bc:$s6: get_ClientSettings
0.2.new order.exe.427e3f8.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2a66d:$a: NanoCore 0x2a82d:$a: NanoCore 0x2d27c:$a: NanoCore 0x2d2a2:$a: NanoCore 0x2d5d3:$a: NanoCore 0x34cb2:$a: NanoCore 0x2d285:$b: ClientPlugin 0x2d2ab:$b: ClientPlugin 0x2d5dc:$b: ClientPlugin 0x34173:$c: ProjectData 0x2f942:$d: DESCrypto 0x300bd:$e: KeepAlive 0x2f1ef:$g: LogClientMessage 0x2d84b:$i: get_Connected 0x2a8fc:$j: #=q 0x2a940:$j: #=q 0x2a95c:$j: #=q 0x2a99e:$j: #=q 0x2a9ba:$j: #=q 0x2a9d6:$j: #=q 0x2aa2e:$j: #=q
0.2.new order.exe.427e3f8.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2d2a2:$a1: NanoCore.ClientPluginHost 0x2d5d3:$a2: NanoCore.ClientPlugin 0x2d2cf:$b1: get_BuilderSettings 0x34c4f:$b2: ClientLoaderForm.resources 0x2b1dd:$b3: PluginCommand 0x2d9c2:$b4: IClientAppHost 0x315c4:$b5: GetBlockHash 0x2d8d7:$b6: AddHostEntry 0x2f1dc:$b7: LogClientException 0x2d898:$b8: PipeExists 0x2d9af:$b9: IClientLoggingHost
14.2.InstallUtil.exe.3d4ff3c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28261:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2828e:$x2: IClientNetworkHost
14.2.InstallUtil.exe.3d4ff3c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28261:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2933c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2827b:$s5: IClientLoggingHost
14.2.InstallUtil.exe.3d4ff3c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.InstallUtil.exe.3d4ff3c.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x2822c:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28261:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28220:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x28242:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28251:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x2827b:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x2828e:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282a1:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282af:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282cb:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
14.2.InstallUtil.exe.3d4ff3c.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28261:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x2822c:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d1a7:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d116:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x2827b:$b9: IClientLoggingHost
14.2.InstallUtil.exe.5660000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.InstallUtil.exe.5660000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.InstallUtil.exe.5660000.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
14.2.InstallUtil.exe.5660000.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
14.2.InstallUtil.exe.5e00000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
14.2.InstallUtil.exe.5e00000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
14.2.InstallUtil.exe.5e00000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.InstallUtil.exe.5e00000.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
14.2.InstallUtil.exe.5e00000.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
new order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report new order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Windows Analysis Report
new order.exe