Windows Analysis Report
G62PnhPS1s.exe

Overview

General Information

Sample Name: G62PnhPS1s.exe
Analysis ID: 714139
MD5: 07653fd9f64401f9f1696f4782c926f4
SHA1: aed898c8d28306aa28785004252b81144bb73676
SHA256: 34915a0eded4e59cfd552ae7724e99584ec58f24b8a562fd90aa6dcb9397a019
Tags: exeNanoCoreRAT
Infos:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (window names)
Machine Learning detection for sample
.NET source code contains potential unpacker
PE file has nameless sections
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks for debuggers (devices)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: G62PnhPS1s.exe ReversingLabs: Detection: 84%
Source: G62PnhPS1s.exe Virustotal: Detection: 50% Perma Link
Antivirus / Scanner detection for submitted sample
Source: G62PnhPS1s.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Avira: detection malicious, Label: HEUR/AGEN.1215957
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Virustotal: Detection: 50% Perma Link
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.G62PnhPS1s.exe.429eaac.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR
Machine Learning detection for sample
Source: G62PnhPS1s.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack Avira: Label: TR/NanoCore.fadte
Source: 5.2.G62PnhPS1s.exe.432000.1.unpack Avira: Label: TR/Patched.Ren.Gen2
Uses 32bit PE files
Source: G62PnhPS1s.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\G62PnhPS1s.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: 6C:\Windows\dll\mscorlib.pdb source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Fc:\windows\symbols\dll\mscorlib.pdb2.&u source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.configib.pdb118cY7 source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .C:\Windows\mscorlib.pdbpdb source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\windows\assembly\gac_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb5ffaY7 source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .C:\Windows\mscorlib.pdbpdb4 source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .c:\windows\mscorlib.pdbpdb source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49682 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49682 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49682 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49683 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49683 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49684 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49684 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49689 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49689 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49690 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49690 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49691 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49691 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49692 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49692 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49693 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49693 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49694 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49694 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49695 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49695 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49696 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49696 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49697 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49697 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49697 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49698 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49698 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49700 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49700 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49701 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49701 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49702 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49702 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49703 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49703 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49704 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49704 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49705 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49705 -> 209.25.141.180:27725
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49706 -> 209.25.141.180:27725
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COGECO-PEER1CA COGECO-PEER1CA
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 209.25.141.180 209.25.141.180
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49682 -> 209.25.141.180:27725
Source: G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmp, dhcpmon.exe, 00000006.00000002.327616554.0000000000791000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.enigmaprotector.com/
Source: G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.enigmaprotector.com/openU
Source: unknown DNS traffic detected: queries for: cable-corporation.at.playit.gg
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053B3242 WSARecv, 0_2_053B3242
Creates a DirectInput object (often for capturing keystrokes)
Source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: G62PnhPS1s.exe, 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.G62PnhPS1s.exe.429eaac.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.329734424.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.329900820.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.329633274.0000000004219000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
PE file has nameless sections
Source: G62PnhPS1s.exe Static PE information: section name:
Source: G62PnhPS1s.exe Static PE information: section name:
Source: G62PnhPS1s.exe Static PE information: section name:
Source: G62PnhPS1s.exe Static PE information: section name:
Source: dhcpmon.exe.0.dr Static PE information: section name:
Source: dhcpmon.exe.0.dr Static PE information: section name:
Source: dhcpmon.exe.0.dr Static PE information: section name:
Source: dhcpmon.exe.0.dr Static PE information: section name:
Uses 32bit PE files
Source: G62PnhPS1s.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: G62PnhPS1s.exe, type: SAMPLE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.0.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.329734424.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.329900820.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.329633274.0000000004219000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Detected potential crypto function
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_02862478 0_2_02862478
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_02877ABF 0_2_02877ABF
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053789D8 0_2_053789D8
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_05373850 0_2_05373850
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053723A0 0_2_053723A0
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_05372FA8 0_2_05372FA8
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_0537B2A8 0_2_0537B2A8
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053795D8 0_2_053795D8
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_0537306F 0_2_0537306F
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_0537969F 0_2_0537969F
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_00405242 5_2_00405242
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_004057C6 5_2_004057C6
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_00405ACE 5_2_00405ACE
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_00405986 5_2_00405986
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_004430B6 5_2_004430B6
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_029023A0 5_2_029023A0
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_02902FA8 5_2_02902FA8
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_02903850 5_2_02903850
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0290306F 5_2_0290306F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: String function: 00436264 appears 70 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053B1BB2 NtQuerySystemInformation, 0_2_053B1BB2
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053B1B77 NtQuerySystemInformation, 0_2_053B1B77
Sample file is different than original file name gathered from version info
Source: G62PnhPS1s.exe, 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000000.00000002.578043243.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000000.00000002.580084127.0000000005EC0000.00000004.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000000.00000002.578057166.0000000004240000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000005.00000002.329785788.00000000042B6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000005.00000002.329977094.00000000042D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000005.00000002.329841701.00000000042BD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe, 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs G62PnhPS1s.exe
Source: G62PnhPS1s.exe Static PE information: Section: ZLIB complexity 0.9996004971590909
Source: G62PnhPS1s.exe Static PE information: Section: ZLIB complexity 1.0003995028409092
Source: G62PnhPS1s.exe Static PE information: Section: ZLIB complexity 1.021484375
Source: G62PnhPS1s.exe Static PE information: Section: .random ZLIB complexity 0.996978407058338
Source: dhcpmon.exe.0.dr Static PE information: Section: ZLIB complexity 0.9996004971590909
Source: dhcpmon.exe.0.dr Static PE information: Section: ZLIB complexity 1.0003995028409092
Source: dhcpmon.exe.0.dr Static PE information: Section: ZLIB complexity 1.021484375
Source: dhcpmon.exe.0.dr Static PE information: Section: .random ZLIB complexity 0.996978407058338
Source: G62PnhPS1s.exe ReversingLabs: Detection: 84%
Source: G62PnhPS1s.exe Virustotal: Detection: 50%
Source: C:\Users\user\Desktop\G62PnhPS1s.exe File read: C:\Users\user\Desktop\G62PnhPS1s.exe Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\G62PnhPS1s.exe C:\Users\user\Desktop\G62PnhPS1s.exe
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF531.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\G62PnhPS1s.exe C:\Users\user\Desktop\G62PnhPS1s.exe 0
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF531.tmp Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053B1972 AdjustTokenPrivileges, 0_2_053B1972
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053B193B AdjustTokenPrivileges, 0_2_053B193B
Source: C:\Users\user\Desktop\G62PnhPS1s.exe File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe File created: C:\Users\user\AppData\Local\Temp\tmpF33C.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/8@20/2
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{a11f01f0-4c67-40a2-aa25-75584883ef2b}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01
Source: C:\Users\user\Desktop\G62PnhPS1s.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, u0040?2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, u0040?2.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, u0040?2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\G62PnhPS1s.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: G62PnhPS1s.exe Static file information: File size 1246208 > 1048576
Source: Binary string: 6C:\Windows\dll\mscorlib.pdb source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Fc:\windows\symbols\dll\mscorlib.pdb2.&u source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.configib.pdb118cY7 source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .C:\Windows\mscorlib.pdbpdb source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\windows\assembly\gac_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb5ffaY7 source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .C:\Windows\mscorlib.pdbpdb4 source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .c:\windows\mscorlib.pdbpdb source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, u0040?2.cs .Net Code: @? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, u0040?2.cs .Net Code: @? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_02879D73 pushad ; retf 0_2_02879D79
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_00406051 push es; retn 0000h 5_2_0040604E
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_00406C04 push es; ret 5_2_00406C19
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_004057C6 push es; retn 0000h 5_2_0040604E
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_00405ACE push es; retn 0000h 5_2_0040604E
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_00405986 push es; retn 0000h 5_2_0040604E
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044E104 push ecx; mov dword ptr [esp], edx 5_2_0044E109
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0045219C push ecx; mov dword ptr [esp], edx 5_2_0045219E
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044228C push 004426D8h; ret 5_2_004426D0
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044E32C push ecx; mov dword ptr [esp], edx 5_2_0044E331
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0043A3EA push 0043A418h; ret 5_2_0043A410
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044B3A0 push 0044B400h; ret 5_2_0044B3F8
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044E448 push ecx; mov dword ptr [esp], edx 5_2_0044E44D
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044C454 push 0044C4A1h; ret 5_2_0044C499
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0043A45C push 0043A488h; ret 5_2_0043A480
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0045840C push ecx; mov dword ptr [esp], edx 5_2_00458411
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0043A424 push 0043A450h; ret 5_2_0043A448
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0043A4F8 push 0043A52Ch; ret 5_2_0043A524
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044E48C push ecx; mov dword ptr [esp], edx 5_2_0044E491
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0043A494 push 0043A4C0h; ret 5_2_0043A4B8
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0045054C push ecx; mov dword ptr [esp], edx 5_2_0045054D
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044A536 push 0044A5B5h; ret 5_2_0044A5AD
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_004385F0 push 00438641h; ret 5_2_00438639
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044962C push 004496A2h; ret 5_2_0044969A
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_004426DA push 0044274Bh; ret 5_2_00442743
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044B684 push ecx; mov dword ptr [esp], ecx 5_2_0044B687
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_004496A4 push 0044974Ch; ret 5_2_00449744
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_00449760 push 0044979Ch; ret 5_2_00449794
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044285E push 0044288Ch; ret 5_2_00442884
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044A804 push 0044A830h; ret 5_2_0044A828
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 5_2_0044B8F4 push ecx; mov dword ptr [esp], ecx 5_2_0044B8F6
PE file contains sections with non-standard names
Source: G62PnhPS1s.exe Static PE information: section name:
Source: G62PnhPS1s.exe Static PE information: section name:
Source: G62PnhPS1s.exe Static PE information: section name:
Source: G62PnhPS1s.exe Static PE information: section name:
Source: G62PnhPS1s.exe Static PE information: section name: .random
Source: dhcpmon.exe.0.dr Static PE information: section name:
Source: dhcpmon.exe.0.dr Static PE information: section name:
Source: dhcpmon.exe.0.dr Static PE information: section name:
Source: dhcpmon.exe.0.dr Static PE information: section name:
Source: dhcpmon.exe.0.dr Static PE information: section name: .random
Source: initial sample Static PE information: section name: entropy: 7.996241313774297
Source: initial sample Static PE information: section name: entropy: 7.9977165676251
Source: initial sample Static PE information: section name: entropy: 7.310216660215987
Source: initial sample Static PE information: section name: .random entropy: 7.984769720522192
Source: initial sample Static PE information: section name: entropy: 7.996241313774297
Source: initial sample Static PE information: section name: entropy: 7.9977165676251
Source: initial sample Static PE information: section name: entropy: 7.310216660215987
Source: initial sample Static PE information: section name: .random entropy: 7.984769720522192
Drops PE files
Source: C:\Users\user\Desktop\G62PnhPS1s.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\G62PnhPS1s.exe File opened: C:\Users\user\Desktop\G62PnhPS1s.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\G62PnhPS1s.exe TID: 5532 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe TID: 5652 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe TID: 5648 Thread sleep time: -620000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe TID: 5692 Thread sleep count: 226 > 30 Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe TID: 5736 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5712 Thread sleep count: 364 > 30 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5752 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5820 Thread sleep count: 1090 > 30 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5856 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Window / User API: threadDelayed 995 Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Window / User API: foregroundWindowGot 1049 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Window / User API: threadDelayed 364 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Window / User API: threadDelayed 1090 Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053B169A GetSystemInfo, 0_2_053B169A
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: dhcpmon.exe, 00000006.00000002.325388305.0000000000591000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: ~VirtualMachineTypes
Source: G62PnhPS1s.exe, 00000000.00000002.573728418.0000000000A89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: dhcpmon.exe, 00000006.00000002.325388305.0000000000591000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: dhcpmon.exe, 00000006.00000002.325388305.0000000000591000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: &VBoxService.exe
Source: G62PnhPS1s.exe, 00000000.00000002.573728418.0000000000A89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Open window title or class name: ollydbg
Enables debug privileges
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process token adjusted: Debug Jump to behavior
Checks for debuggers (devices)
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File opened: SIWDEBUG
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File opened: NTICE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File opened: SICE
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp Jump to behavior
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF531.tmp Jump to behavior
Source: G62PnhPS1s.exe, 00000000.00000002.577634870.0000000003408000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerH
Source: G62PnhPS1s.exe, 00000000.00000002.577634870.0000000003408000.00000004.00000800.00020000.00000000.sdmp, G62PnhPS1s.exe, 00000000.00000002.576203045.000000000327E000.00000004.00000800.00020000.00000000.sdmp, G62PnhPS1s.exe, 00000000.00000002.577769543.0000000003429000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: G62PnhPS1s.exe, 00000000.00000002.573728418.0000000000A89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerlement, System.WorkflowServices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
Source: G62PnhPS1s.exe, 00000000.00000002.575731834.0000000003214000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerr
Source: G62PnhPS1s.exe, 00000000.00000002.576203045.000000000327E000.00000004.00000800.00020000.00000000.sdmp, G62PnhPS1s.exe, 00000000.00000002.577769543.0000000003429000.00000004.00000800.00020000.00000000.sdmp, G62PnhPS1s.exe, 00000000.00000002.575997920.000000000324E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager[
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.G62PnhPS1s.exe.429eaac.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Nanocore Rat
Source: G62PnhPS1s.exe, 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: G62PnhPS1s.exe, 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: G62PnhPS1s.exe, 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: G62PnhPS1s.exe, 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: G62PnhPS1s.exe, 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: G62PnhPS1s.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: G62PnhPS1s.exe, 00000005.00000002.329900820.00000000042C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: G62PnhPS1s.exe, 00000005.00000002.329900820.00000000042C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HApplicationBaseMicrosoft.VisualBasic.ApplicationServicesUserConversionsMicrosoft.VisualBasic.CompilerServicesObjectFlowControlOperatorsProjectDataStandardModuleAttributeComputerMicrosoft.VisualBasic.DevicesHideModuleNameAttributeMyGroupCollectionAttributeContextValue`1Microsoft.VisualBasic.MyServices.InternalClientInvokeDelegateNanoCoreIClientDataNanoCore.ClientPluginIClientNetworkIClientDataHostNanoCore.ClientPluginHostIClientLoggingHostIClientNetworkHostIClientUIHostIClientNameObjectCollectionIClientReadOnlyNameObjectCollectionActivatorAppDomainArgumentOutOfRangeExceptionArrayAsyncCallbackBitConverterBooleanBufferByteCharCLSCompliantAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDictionary`2System.Collections.GenericEnumeratorIEnumerable`1KeyValuePair`2List`1IEnumeratorSystem.CollectionsEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateApplicationSettingsBaseSystem.ConfigurationSettingsBaseDateTimeDateTimeKindDelegateDebuggerDisplayAttributeSystem.DiagnosticsDebuggerHiddenAttributeDebuggerNonUserCodeAttributeDebuggerStepThroughAttributeProcessStackFrameStackTraceDoubleEnumEnvironmentExceptionCultureInfoSystem.GlobalizationIAsyncResultIDisposableInt16Int32Int64IntPtrBinaryReaderSystem.IOBinaryWriterDirectoryDirectoryInfoEndOfStreamExceptionFileFileAccessFileInfoFileModeFileStreamFileSystemInfoMemoryStreamPathStreamStringReaderMathMulticastDelegateObjectAssemblySystem.ReflectionAssemblyCompanyAttributeAssemblyCopyrightAttributeAssemblyDescriptionAttributeAssemblyFileVersionAttributeAssemblyNameAssemblyProductAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeDefaultMemberAttributeMemberInfoMethodBaseResolveEventArgsResolveEventHandlerResourceManagerSystem.ResourcesCompilationRelaxationsAttributeSystem.Runtime.CompilerServicesCompilerGeneratedAttributeRuntimeCompatibilityAttributeRuntimeHelpersSuppressIldasmAttributeComVisibleAttributeSystem.Runtime.InteropServicesGuidAttributeMarshalRuntimeEnvironmentRuntimeMethodHandleRuntimeTypeHandleSuppressUnmanagedCodeSecurityAttributeSystem.SecurityStringStringSplitOptionsEncodingSystem.TextCaptureSystem.Text.RegularExpressionsGroupGroupCollectionMatchMatchCollectionRegexStringBuilderMonitorSystem.ThreadingThreadThreadPoolTimerTimerCallbackWaitCallbackTimeSpanTypeUInt16UInt32UInt64UriUriKindValueTypeVoidClipboardCreateParamsKeysMessageNativeWindow<Module>#=q$SxR33u2B2QKyvTy6OUx3VUEnsU1BBIwrFbNm_dTmvc=#=q1WnXnf5Kn3oZdelfZ9atXg==#=q4Jhplum5EMsDzltMg_L_tgoPjr8zzldX6k5uL$T8QHU=#=qaeAZ85IK9icf1hoO$eIUgQ==#=qbDWEs19y0rXNZJloHjyEAXFFSfYqbb6nrn10YnV15GU=#=qgHfmPA2gNKnydwzqeSF_2nVCUjp4Sfb3eJfQd$j975A=#=q3$4$aeeKw0G6KJpmbsHtCSC3$LdCNMfTzWNTjLVfIoU=#=qwJ4w0jkRVthW3ex8w5dly$cWay1Am4JSh9ZTwaXqcz4=#=qZDfXudm0$xsDWCHGELpd5JJQykxvZE2iCT02xHzYWZs=#=qBUViwm1Wzov4U2EcqfWHEYm9yRhCdBkuxxjXALmkpzo=#=qps$_CRy8QN3tD8_cpxbl5Q==#=qeoqI9zQPLOZjV1JthHFzOD41rl7NT5wwztozAPfluxU=#=qfisk2$Joqzyumzd6fh2dOQ==#=qjw6ERKjxRJyhmlKKhTbkm3qZjjnDTqlES7REqNxqUOg=#=qm8f9k1aXVtORA4naJCkxW5anSegBcHo_NtygLkyg$zI=#=qG3u5K_RN
Source: G62PnhPS1s.exe, 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: G62PnhPS1s.exe, 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: G62PnhPS1s.exe, 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000006.00000002.329734424.000000000422E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000006.00000002.329734424.000000000422E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HApplicationBaseMicrosoft.VisualBasic.ApplicationServicesUserConversionsMicrosoft.VisualBasic.CompilerServicesObjectFlowControlOperatorsProjectDataStandardModuleAttributeComputerMicrosoft.VisualBasic.DevicesHideModuleNameAttributeMyGroupCollectionAttributeContextValue`1Microsoft.VisualBasic.MyServices.InternalClientInvokeDelegateNanoCoreIClientDataNanoCore.ClientPluginIClientNetworkIClientDataHostNanoCore.ClientPluginHostIClientLoggingHostIClientNetworkHostIClientUIHostIClientNameObjectCollectionIClientReadOnlyNameObjectCollectionActivatorAppDomainArgumentOutOfRangeExceptionArrayAsyncCallbackBitConverterBooleanBufferByteCharCLSCompliantAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDictionary`2System.Collections.GenericEnumeratorIEnumerable`1KeyValuePair`2List`1IEnumeratorSystem.CollectionsEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateApplicationSettingsBaseSystem.ConfigurationSettingsBaseDateTimeDateTimeKindDelegateDebuggerDisplayAttributeSystem.DiagnosticsDebuggerHiddenAttributeDebuggerNonUserCodeAttributeDebuggerStepThroughAttributeProcessStackFrameStackTraceDoubleEnumEnvironmentExceptionCultureInfoSystem.GlobalizationIAsyncResultIDisposableInt16Int32Int64IntPtrBinaryReaderSystem.IOBinaryWriterDirectoryDirectoryInfoEndOfStreamExceptionFileFileAccessFileInfoFileModeFileStreamFileSystemInfoMemoryStreamPathStreamStringReaderMathMulticastDelegateObjectAssemblySystem.ReflectionAssemblyCompanyAttributeAssemblyCopyrightAttributeAssemblyDescriptionAttributeAssemblyFileVersionAttributeAssemblyNameAssemblyProductAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeDefaultMemberAttributeMemberInfoMethodBaseResolveEventArgsResolveEventHandlerResourceManagerSystem.ResourcesCompilationRelaxationsAttributeSystem.Runtime.CompilerServicesCompilerGeneratedAttributeRuntimeCompatibilityAttributeRuntimeHelpersSuppressIldasmAttributeComVisibleAttributeSystem.Runtime.InteropServicesGuidAttributeMarshalRuntimeEnvironmentRuntimeMethodHandleRuntimeTypeHandleSuppressUnmanagedCodeSecurityAttributeSystem.SecurityStringStringSplitOptionsEncodingSystem.TextCaptureSystem.Text.RegularExpressionsGroupGroupCollectionMatchMatchCollectionRegexStringBuilderMonitorSystem.ThreadingThreadThreadPoolTimerTimerCallbackWaitCallbackTimeSpanTypeUInt16UInt32UInt64UriUriKindValueTypeVoidClipboardCreateParamsKeysMessageNativeWindow<Module>#=q$SxR33u2B2QKyvTy6OUx3VUEnsU1BBIwrFbNm_dTmvc=#=q1WnXnf5Kn3oZdelfZ9atXg==#=q4Jhplum5EMsDzltMg_L_tgoPjr8zzldX6k5uL$T8QHU=#=qaeAZ85IK9icf1hoO$eIUgQ==#=qbDWEs19y0rXNZJloHjyEAXFFSfYqbb6nrn10YnV15GU=#=qgHfmPA2gNKnydwzqeSF_2nVCUjp4Sfb3eJfQd$j975A=#=q3$4$aeeKw0G6KJpmbsHtCSC3$LdCNMfTzWNTjLVfIoU=#=qwJ4w0jkRVthW3ex8w5dly$cWay1Am4JSh9ZTwaXqcz4=#=qZDfXudm0$xsDWCHGELpd5JJQykxvZE2iCT02xHzYWZs=#=qBUViwm1Wzov4U2EcqfWHEYm9yRhCdBkuxxjXALmkpzo=#=qps$_CRy8QN3tD8_cpxbl5Q==#=qeoqI9zQPLOZjV1JthHFzOD41rl7NT5wwztozAPfluxU=#=qfisk2$Joqzyumzd6fh2dOQ==#=qjw6ERKjxRJyhmlKKhTbkm3qZjjnDTqlES7REqNxqUOg=#=qm8f9k1aXVtORA4naJCkxW5anSegBcHo_NtygLkyg$zI=#=qG3u5K_RN
Source: dhcpmon.exe, 00000006.00000002.329633274.0000000004219000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000006.00000002.329633274.0000000004219000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.G62PnhPS1s.exe.429eaac.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053B2D86 bind, 0_2_053B2D86
Source: C:\Users\user\Desktop\G62PnhPS1s.exe Code function: 0_2_053B2D34 bind, 0_2_053B2D34
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 714139 Sample: G62PnhPS1s.exe Startdate: 01/10/2022 Architecture: WINDOWS Score: 100 37 cable-corporation.at.playit.gg 2->37 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 12 other signatures 2->49 8 G62PnhPS1s.exe 1 14 2->8         started        13 G62PnhPS1s.exe 3 2->13         started        15 dhcpmon.exe 2 2->15         started        17 dhcpmon.exe 3 2->17         started        signatures3 process4 dnsIp5 39 cable-corporation.at.playit.gg 209.25.141.180, 27725, 49682, 49683 COGECO-PEER1CA Canada 8->39 41 192.168.2.1 unknown unknown 8->41 27 C:\Program Files (x86)\...\dhcpmon.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 8->29 dropped 31 C:\Users\user\AppData\Local\...\tmpF33C.tmp, XML 8->31 dropped 33 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 8->33 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 8->51 53 Hides threads from debuggers 8->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->55 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        35 C:\Users\user\AppData\...behaviorgraph62PnhPS1s.exe.log, ASCII 13->35 dropped file6 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
209.25.141.180
 cable-corporation.at.playit.gg Canada
13768 COGECO-PEER1CA true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
cable-corporation.at.playit.gg 209.25.141.180 true