Windows Analysis Report
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Overview

General Information

Sample Name:	HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Analysis ID:	798399
MD5:	8c4f47a96a1f9f58ab28a2353627c153
SHA1:	4e7e9f7c7d630e2406fe76ad1576d35a773e9e06
SHA256:	e1cfeeaabcfa9339523fae340820f04895c7a8332b806fd4e813343516928dde
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

PE file has nameless sections

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

PE file contains section with special chars

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	ReversingLabs: Detection: 44%
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Virustotal: Detection: 56%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Avira: detected

Antivirus detection for URL or domain

Source: servicepoint.duckdns.org

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: servicepoint.duckdns.org	Virustotal: Detection: 11%			Perma Link
Source: servicepoint.duckdns.org	Virustotal: Detection: 11%			Perma Link

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Avira: detection malicious, Label: HEUR/AGEN.1202424

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 44%
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 56%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR

Machine Learning detection for sample

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b210040d-15e5-44d6-9102-34199926", "Group": "Default", "Domain1": "servicepoint.duckdns.org", "Domain2": "", "Port": 6755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Uses 32bit PE files

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp

Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49700 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49700 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49703 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 213.152.161.85:6755 -> 192.168.2.3:49703
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49704 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49705 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 213.152.161.85:6755 -> 192.168.2.3:49705
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49706 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49707 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49708 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49709 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49710 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49711 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 213.152.161.85:6755 -> 192.168.2.3:49711
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 213.152.161.85:6755 -> 192.168.2.3:49712
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49712 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49713 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49713 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49714 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49715 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49716 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49717 -> 213.152.161.85:6755

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: servicepoint.duckdns.org

Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: section name:
Source: dhcpmon.exe.1.dr	Static PE information: section name:

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: section name: 4SUP}s
Source: dhcpmon.exe.1.dr	Static PE information: section name: 4SUP}s

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951C20	0_2_04951C20
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049515E9	0_2_049515E9
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950E00	0_2_04950E00
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950A58	0_2_04950A58
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951C11	0_2_04951C11
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951005	0_2_04951005
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495080A	0_2_0495080A
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951052	0_2_04951052
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495084C	0_2_0495084C
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950463	0_2_04950463
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950592	0_2_04950592
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495018E	0_2_0495018E
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950DD1	0_2_04950DD1
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495015E	0_2_0495015E
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950565	0_2_04950565
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049506A8	0_2_049506A8
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049502D4	0_2_049502D4
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049502C2	0_2_049502C2
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049506E0	0_2_049506E0
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950231	0_2_04950231
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495023C	0_2_0495023C
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950388	0_2_04950388
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049507A7	0_2_049507A7
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049507D5	0_2_049507D5
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049503F0	0_2_049503F0
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04A173F6	0_2_04A173F6
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A2FA8	1_2_033A2FA8
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A23A0	1_2_033A23A0
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A8798	1_2_033A8798
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033AAE38	1_2_033AAE38
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A3850	1_2_033A3850
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A9398	1_2_033A9398
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A306F	1_2_033A306F
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A945F	1_2_033A945F
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A9C40	1_2_033A9C40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960A58	2_2_02960A58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960E00	2_2_02960E00
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02961C20	2_2_02961C20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029602D4	2_2_029602D4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029602C2	2_2_029602C2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960231	2_2_02960231
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296023C	2_2_0296023C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960388	2_2_02960388
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029603F0	2_2_029603F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02961005	2_2_02961005
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296080A	2_2_0296080A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02961052	2_2_02961052
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296084C	2_2_0296084C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296018E	2_2_0296018E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296015E	2_2_0296015E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029606A8	2_2_029606A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029606E0	2_2_029606E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029607A7	2_2_029607A7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029607D5	2_2_029607D5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960C40	2_2_02960C40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960463	2_2_02960463
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960592	2_2_02960592
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960565	2_2_02960565
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_05267330	2_2_05267330
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_05267320	2_2_05267320

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000000.245601499.000000000016C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameProcexp.exeB vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.252344344.0000000004CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamedll.exe4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000003.248416107.0000000003825000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedll.exe4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.252420555.000000000150C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProcexp.exeB vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Binary or memory string: OriginalFilenameProcexp.exeB vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: Section: 4SUP}s ZLIB complexity 1.000383148923445
Source: dhcpmon.exe.1.dr	Static PE information: Section: 4SUP}s ZLIB complexity 1.000383148923445

Source: unknown	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, type: SAMPLE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.0.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.e0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_00A8B00E AdjustTokenPrivileges,	0_2_00A8B00E
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_00A8AFD7 AdjustTokenPrivileges,	0_2_00A8AFD7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_00DCB4CA AdjustTokenPrivileges,	2_2_00DCB4CA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_00DCB493 AdjustTokenPrivileges,	2_2_00DCB493

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\???????
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b210040d-15e5-44d6-9102-34199926a203}

Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: initial sample	Static PE information: section name: 4SUP}s entropy: 7.998441047887134
Source: initial sample	Static PE information: section name: 4SUP}s entropy: 7.998441047887134

Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 5552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 5296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 5320	Thread sleep time: -1520000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 628	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Windows Analysis Report HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Window / User API: foregroundWindowGot 825			Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Window / User API: foregroundWindowGot 769			Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process token adjusted: Debug			Jump to behavior

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.513465450.0000000001583000.00000004.00000020.00020000.00000000.sdmp, HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.352138949.000000000159A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerl
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.380630900.000000000154C000.00000004.00000020.00020000.00000000.sdmp, HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.319503227.0000000001541000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager$:

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
servicepoint.duckdns.org	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

ID:	798399
Product:	CloudBasic
Start time:	04:01:07
Start date:	04.02.2023
Sample:	HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8c4f47a96a1f9f58ab28a2353627c153
SHA1:	4e7e9f7c7d630e2406fe76ad1576d35a773e9e06
SHA256:	e1cfeeaabcfa9339523fae340820f04895c7a8332b806fd4e813343516928dde
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	8C4F47A96A1F9F58AB28A2353627C153	4E7E9F7C7D630E2406FE76AD1576D35A773E9E06	E1CFEEAABCFA9339523FAE340820F04895C7A8332B806FD4E813343516928DDE
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.log	ASCII text, with CRLF line terminators	80EFBEC081D7836D240503C4C9465FEC	6AF398E08A359457083727BAF296445030A55AC3	C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	63CC04E8E9DBE6842611C2E6E948F8FA	61F604AF4DABFEC36C39555FE4A32D1D6417927C	0EDC65EF06683A15D2C8B6A455F8A29B29AE729069096A060D6C75E12AB0EB60
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	061E700FE27D852034A5A44BF5985CCF	15B072DE6D6FDD92AE36F074345FA41985833E8D	4BBB88AF530693EB4A710B0591D4BAF585837242C5690F5A821BF2FC9CC587CD
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	data	936600CAA6F0F7229FF1F3E8F92BE5EB	311583C4CA7235B76A80EBF66DABB67119877474	2632A97CC041EF4110299290C537C046021994E5A5C0E5970D6C6A7E11F917CD
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin	data	4E5E92E2369688041CC82EF9650EDED2	15E44F2F3194EE232B44E9684163B6F66472C862	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	D2D87B1E9F691E38698A9683C9E213C1	87FAA25A212348CCD20567929D52A0ADE5BE07CE	4115C31136A8A8F4642D3F5E7032A248381FCF36B047CFD911F974600F140039