Edit tour

Windows Analysis Report
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Overview

General Information

Sample Name:	HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Analysis ID:	798399
MD5:	8c4f47a96a1f9f58ab28a2353627c153
SHA1:	4e7e9f7c7d630e2406fe76ad1576d35a773e9e06
SHA256:	e1cfeeaabcfa9339523fae340820f04895c7a8332b806fd4e813343516928dde
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

PE file has nameless sections

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

PE file contains section with special chars

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe (PID: 4864 cmdline: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe MD5: 8C4F47A96A1F9F58AB28A2353627C153)

HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe (PID: 5368 cmdline: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe MD5: 8C4F47A96A1F9F58AB28A2353627C153)

dhcpmon.exe (PID: 5240 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 8C4F47A96A1F9F58AB28A2353627C153)

dhcpmon.exe (PID: 5168 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 8C4F47A96A1F9F58AB28A2353627C153)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "b210040d-15e5-44d6-9102-34199926", "Group": "Default", "Domain1": "servicepoint.duckdns.org", "Domain2": "", "Port": 6755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4d495:$name: ConfuserEx 0x4cecb:$compile: AssemblyTitle

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4d495:$name: ConfuserEx 0x4cecb:$compile: AssemblyTitle

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3e2ed:$x1: NanoCore.ClientPluginHost 0x6666d:$x1: NanoCore.ClientPluginHost 0x3e32a:$x2: IClientNetworkHost 0x666aa:$x2: IClientNetworkHost 0x41e5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6a1dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3e055:$a: NanoCore 0x3e065:$a: NanoCore 0x3e299:$a: NanoCore 0x3e2ad:$a: NanoCore 0x3e2ed:$a: NanoCore 0x663d5:$a: NanoCore 0x663e5:$a: NanoCore 0x66619:$a: NanoCore 0x6662d:$a: NanoCore 0x6666d:$a: NanoCore 0x3e0b4:$b: ClientPlugin 0x3e2b6:$b: ClientPlugin 0x3e2f6:$b: ClientPlugin 0x66434:$b: ClientPlugin 0x66636:$b: ClientPlugin 0x66676:$b: ClientPlugin 0x3e1db:$c: ProjectData 0x6655b:$c: ProjectData 0x3ebe2:$d: DESCrypto 0x66f62:$d: DESCrypto 0x465ae:$e: KeepAlive
00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3e2ed:$a1: NanoCore.ClientPluginHost 0x6666d:$a1: NanoCore.ClientPluginHost 0x3e2ad:$a2: NanoCore.ClientPlugin 0x6662d:$a2: NanoCore.ClientPlugin 0x40206:$b1: get_BuilderSettings 0x68586:$b1: get_BuilderSettings 0x3e109:$b2: ClientLoaderForm.resources 0x66489:$b2: ClientLoaderForm.resources 0x3f926:$b3: PluginCommand 0x67ca6:$b3: PluginCommand 0x3e2de:$b4: IClientAppHost 0x6665e:$b4: IClientAppHost 0x4875e:$b5: GetBlockHash 0x70ade:$b5: GetBlockHash 0x4085e:$b6: AddHostEntry 0x68bde:$b6: AddHostEntry 0x44551:$b7: LogClientException 0x6c8d1:$b7: LogClientException 0x407cb:$b8: PipeExists 0x68b4b:$b8: PipeExists 0x3e317:$b9: IClientLoggingHost
00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35756:$a: NanoCore 0x3577b:$a: NanoCore 0x357d4:$a: NanoCore 0x4597f:$a: NanoCore 0x459a5:$a: NanoCore 0x45a01:$a: NanoCore 0x5285f:$a: NanoCore 0x528b8:$a: NanoCore 0x528eb:$a: NanoCore 0x52b17:$a: NanoCore 0x52b93:$a: NanoCore 0x531ac:$a: NanoCore 0x532f5:$a: NanoCore 0x537c9:$a: NanoCore 0x53ab0:$a: NanoCore 0x53ac7:$a: NanoCore 0x5c96f:$a: NanoCore 0x5c9eb:$a: NanoCore 0x5f2ce:$a: NanoCore 0x6489d:$a: NanoCore 0x64917:$a: NanoCore
00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3577b:$a1: NanoCore.ClientPluginHost 0x459a5:$a1: NanoCore.ClientPluginHost 0x52b17:$a1: NanoCore.ClientPluginHost 0x5c96f:$a1: NanoCore.ClientPluginHost 0x6489d:$a1: NanoCore.ClientPluginHost 0x6a878:$a1: NanoCore.ClientPluginHost 0x742eb:$a1: NanoCore.ClientPluginHost 0x7c39e:$a1: NanoCore.ClientPluginHost 0x84177:$a1: NanoCore.ClientPluginHost 0x8f161:$a1: NanoCore.ClientPluginHost 0x9af0f:$a1: NanoCore.ClientPluginHost 0xa6c62:$a1: NanoCore.ClientPluginHost 0x35756:$a2: NanoCore.ClientPlugin 0x4597f:$a2: NanoCore.ClientPlugin 0x52b93:$a2: NanoCore.ClientPlugin 0x5c9eb:$a2: NanoCore.ClientPlugin 0x64917:$a2: NanoCore.ClientPlugin 0x6a8c2:$a2: NanoCore.ClientPlugin 0x743d5:$a2: NanoCore.ClientPlugin 0x7c3e8:$a2: NanoCore.ClientPlugin 0x84217:$a2: NanoCore.ClientPlugin
00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x11621:$a1: NanoCore.ClientPluginHost 0x115e4:$a2: NanoCore.ClientPlugin 0x119b8:$b1: get_BuilderSettings 0x1166f:$b4: IClientAppHost 0x11a29:$b6: AddHostEntry 0x11a98:$b7: LogClientException 0x11a0d:$b8: PipeExists 0x1165c:$b9: IClientLoggingHost
00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x109e5:$x1: NanoCore.ClientPluginHost 0x46135:$x1: NanoCore.ClientPluginHost 0x10a22:$x2: IClientNetworkHost 0x46172:$x2: IClientNetworkHost 0x14555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x49ca5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1074d:$a: NanoCore 0x1075d:$a: NanoCore 0x10991:$a: NanoCore 0x109a5:$a: NanoCore 0x109e5:$a: NanoCore 0x45e9d:$a: NanoCore 0x45ead:$a: NanoCore 0x460e1:$a: NanoCore 0x460f5:$a: NanoCore 0x46135:$a: NanoCore 0x107ac:$b: ClientPlugin 0x109ae:$b: ClientPlugin 0x109ee:$b: ClientPlugin 0x45efc:$b: ClientPlugin 0x460fe:$b: ClientPlugin 0x4613e:$b: ClientPlugin 0x108d3:$c: ProjectData 0x46023:$c: ProjectData 0x112da:$d: DESCrypto 0x46a2a:$d: DESCrypto 0x18ca6:$e: KeepAlive
00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x109e5:$a1: NanoCore.ClientPluginHost 0x46135:$a1: NanoCore.ClientPluginHost 0x109a5:$a2: NanoCore.ClientPlugin 0x460f5:$a2: NanoCore.ClientPlugin 0x128fe:$b1: get_BuilderSettings 0x4804e:$b1: get_BuilderSettings 0x10801:$b2: ClientLoaderForm.resources 0x45f51:$b2: ClientLoaderForm.resources 0x1201e:$b3: PluginCommand 0x4776e:$b3: PluginCommand 0x109d6:$b4: IClientAppHost 0x46126:$b4: IClientAppHost 0x1ae56:$b5: GetBlockHash 0x505a6:$b5: GetBlockHash 0x12f56:$b6: AddHostEntry 0x486a6:$b6: AddHostEntry 0x16c49:$b7: LogClientException 0x4c399:$b7: LogClientException 0x12ec3:$b8: PipeExists 0x48613:$b8: PipeExists 0x10a0f:$b9: IClientLoggingHost
00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10d45:$x1: NanoCore.ClientPluginHost 0x10d82:$x2: IClientNetworkHost 0x148b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10aad:$a: NanoCore 0x10abd:$a: NanoCore 0x10cf1:$a: NanoCore 0x10d05:$a: NanoCore 0x10d45:$a: NanoCore 0x10b0c:$b: ClientPlugin 0x10d0e:$b: ClientPlugin 0x10d4e:$b: ClientPlugin 0x10c33:$c: ProjectData 0x1163a:$d: DESCrypto 0x19006:$e: KeepAlive 0x16ff4:$g: LogClientMessage 0x131ef:$i: get_Connected 0x11970:$j: #=q 0x119a0:$j: #=q 0x119bc:$j: #=q 0x119ec:$j: #=q 0x11a08:$j: #=q 0x11a24:$j: #=q 0x11a54:$j: #=q 0x11a70:$j: #=q
00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10d45:$a1: NanoCore.ClientPluginHost 0x10d05:$a2: NanoCore.ClientPlugin 0x12c5e:$b1: get_BuilderSettings 0x10b61:$b2: ClientLoaderForm.resources 0x1237e:$b3: PluginCommand 0x10d36:$b4: IClientAppHost 0x1b1b6:$b5: GetBlockHash 0x132b6:$b6: AddHostEntry 0x16fa9:$b7: LogClientException 0x13223:$b8: PipeExists 0x10d6f:$b9: IClientLoggingHost
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4816:$x1: NanoCore.ClientPluginHost 0x2d061:$x1: NanoCore.ClientPluginHost 0x59b14:$x1: NanoCore.ClientPluginHost 0x4853:$x2: IClientNetworkHost 0x2d09e:$x2: IClientNetworkHost 0x59b51:$x2: IClientNetworkHost 0x8344:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x133ca:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e806:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x30b8f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bc15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x48294:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5d642:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x686c8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x44e3:$a: NanoCore 0x44f3:$a: NanoCore 0x45b2:$a: NanoCore 0x45c1:$a: NanoCore 0x47c2:$a: NanoCore 0x47d6:$a: NanoCore 0x4816:$a: NanoCore 0xfa34:$a: NanoCore 0xfa46:$a: NanoCore 0xfa82:$a: NanoCore 0x1ae70:$a: NanoCore 0x1ae82:$a: NanoCore 0x1aebe:$a: NanoCore 0x2cd2e:$a: NanoCore 0x2cd3e:$a: NanoCore 0x2cdfd:$a: NanoCore 0x2ce0c:$a: NanoCore 0x2d00d:$a: NanoCore 0x2d021:$a: NanoCore 0x2d061:$a: NanoCore 0x3827f:$a: NanoCore
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4816:$a1: NanoCore.ClientPluginHost 0x2d061:$a1: NanoCore.ClientPluginHost 0x59b14:$a1: NanoCore.ClientPluginHost 0x47d6:$a2: NanoCore.ClientPlugin 0x2d021:$a2: NanoCore.ClientPlugin 0x59ad4:$a2: NanoCore.ClientPlugin 0x66ed:$b1: get_BuilderSettings 0x2ef38:$b1: get_BuilderSettings 0x5b9eb:$b1: get_BuilderSettings 0x4597:$b2: ClientLoaderForm.resources 0x2cde2:$b2: ClientLoaderForm.resources 0x59895:$b2: ClientLoaderForm.resources 0x5e0d:$b3: PluginCommand 0x2e658:$b3: PluginCommand 0x5b10b:$b3: PluginCommand 0x4807:$b4: IClientAppHost 0x2d052:$b4: IClientAppHost 0x59b05:$b4: IClientAppHost 0xec40:$b5: GetBlockHash 0x3748b:$b5: GetBlockHash 0x63f3e:$b5: GetBlockHash
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x163be:$x1: NanoCore.ClientPluginHost 0x9b0af:$x1: NanoCore.ClientPluginHost 0x1228b2:$x1: NanoCore.ClientPluginHost 0x163e8:$x2: IClientNetworkHost 0x9b0c9:$x2: IClientNetworkHost 0x1228ef:$x2: IClientNetworkHost 0x1263e0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x131466:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1535f:$a: NanoCore 0x16399:$a: NanoCore 0x163be:$a: NanoCore 0x16417:$a: NanoCore 0x19eab:$a: NanoCore 0x19ece:$a: NanoCore 0x19f23:$a: NanoCore 0x24fc2:$a: NanoCore 0x24fe6:$a: NanoCore 0x2503e:$a: NanoCore 0x2c4b6:$a: NanoCore 0x2c50f:$a: NanoCore 0x2c535:$a: NanoCore 0x2c8cb:$a: NanoCore 0x2c90f:$a: NanoCore 0x2c952:$a: NanoCore 0x2c9a5:$a: NanoCore 0x2c9d4:$a: NanoCore 0x2cbda:$a: NanoCore 0x2cc4e:$a: NanoCore 0x2d205:$a: NanoCore
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x163be:$a1: NanoCore.ClientPluginHost 0x9b0af:$a1: NanoCore.ClientPluginHost 0x1228b2:$a1: NanoCore.ClientPluginHost 0x16399:$a2: NanoCore.ClientPlugin 0x9b072:$a2: NanoCore.ClientPlugin 0x122872:$a2: NanoCore.ClientPlugin 0x19cf9:$b1: get_BuilderSettings 0x9b415:$b1: get_BuilderSettings 0x124789:$b1: get_BuilderSettings 0x122633:$b2: ClientLoaderForm.resources 0x123ea9:$b3: PluginCommand 0x163af:$b4: IClientAppHost 0x9b0fd:$b4: IClientAppHost 0x1228a3:$b4: IClientAppHost 0x12ccdc:$b5: GetBlockHash 0x9b486:$b6: AddHostEntry 0x124de1:$b6: AddHostEntry 0x12ff00:$b6: AddHostEntry 0x2e03d:$b7: LogClientException 0x9b4f5:$b7: LogClientException 0x128ad4:$b7: LogClientException
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x3850d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x3854a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3c07d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x38285:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x3850d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x39b46:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x39b3a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x3a9eb:$s3: PipeExists 0x18422:$s4: PipeCreated 0x407a2:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x38537:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x38275:$x1: NanoCore Client 0x38285:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x384cd:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x3850d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x384c2:$i1: IClientApp 0x10163:$i2: IClientData 0x384e3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x384ef:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x384fe:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x38527:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x38537:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x38275:$a: NanoCore 0x38285:$a: NanoCore 0x384b9:$a: NanoCore 0x384cd:$a: NanoCore 0x3850d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x382d4:$b: ClientPlugin 0x384d6:$b: ClientPlugin 0x38516:$b: ClientPlugin 0x1007b:$c: ProjectData 0x383fb:$c: ProjectData 0x10a82:$d: DESCrypto 0x38e02:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x3850d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x384cd:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x3a426:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x38329:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x39b46:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x384fe:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4297e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x3aa7e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x3e771:$b7: LogClientException 0x1266b:$b8: PipeExists 0x3a9eb:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
0.0.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.e0000.0.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4d495:$name: ConfuserEx 0x4cecb:$compile: AssemblyTitle
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x458dd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x4591a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4944d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x45655:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x458dd:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x46f16:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x46f0a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x47dbb:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4db72:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x45907:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x45645:$x1: NanoCore Client 0x45655:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4589d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x458dd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x45892:$i1: IClientApp 0x10163:$i2: IClientData 0x458b3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x458bf:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x458ce:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x458f7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x45907:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x45645:$a: NanoCore 0x45655:$a: NanoCore 0x45889:$a: NanoCore 0x4589d:$a: NanoCore 0x458dd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x456a4:$b: ClientPlugin 0x458a6:$b: ClientPlugin 0x458e6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x457cb:$c: ProjectData 0x10a82:$d: DESCrypto 0x461d2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x458dd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x4589d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x477f6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x456f9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x46f16:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x458ce:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4fd4e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x47e4e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x4bb41:$b7: LogClientException 0x1266b:$b8: PipeExists 0x47dbb:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0xb53b:$x1: NanoCore.ClientPluginHost 0x13469:$x1: NanoCore.ClientPluginHost 0x19444:$x1: NanoCore.ClientPluginHost 0x22eb7:$x1: NanoCore.ClientPluginHost 0x2af6a:$x1: NanoCore.ClientPluginHost 0x32d43:$x1: NanoCore.ClientPluginHost 0x3dd2d:$x1: NanoCore.ClientPluginHost 0x49adb:$x1: NanoCore.ClientPluginHost 0x5582e:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb574:$x2: IClientNetworkHost 0x134a2:$x2: IClientNetworkHost 0x23014:$x2: IClientNetworkHost 0x32d7c:$x2: IClientNetworkHost 0x3dd47:$x2: IClientNetworkHost 0x49af5:$x2: IClientNetworkHost 0x5586b:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x2: NanoCore.ClientPluginHost 0xb53b:$x2: NanoCore.ClientPluginHost 0x13469:$x2: NanoCore.ClientPluginHost 0x19444:$x2: NanoCore.ClientPluginHost 0x22eb7:$x2: NanoCore.ClientPluginHost 0x2af6a:$x2: NanoCore.ClientPluginHost 0x32d43:$x2: NanoCore.ClientPluginHost 0x3dd2d:$x2: NanoCore.ClientPluginHost 0x49adb:$x2: NanoCore.ClientPluginHost 0x5582e:$x2: NanoCore.ClientPluginHost 0x23e0d:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb63f:$s4: PipeCreated 0x13584:$s4: PipeCreated 0x19522:$s4: PipeCreated 0x230ad:$s4: PipeCreated 0x2b048:$s4: PipeCreated 0x32e8e:$s4: PipeCreated 0x3ed62:$s4: PipeCreated 0x4b886:$s4: PipeCreated 0x58c81:$s4: PipeCreated
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b7:$x2: NanoCore.ClientPlugin 0x134e3:$x2: NanoCore.ClientPlugin 0x1948e:$x2: NanoCore.ClientPlugin 0x22fa1:$x2: NanoCore.ClientPlugin 0x2afb4:$x2: NanoCore.ClientPlugin 0x32de3:$x2: NanoCore.ClientPlugin 0x3dd04:$x2: NanoCore.ClientPlugin 0x49ab2:$x2: NanoCore.ClientPlugin 0x55809:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb53b:$x3: NanoCore.ClientPluginHost 0x13469:$x3: NanoCore.ClientPluginHost 0x19444:$x3: NanoCore.ClientPluginHost 0x22eb7:$x3: NanoCore.ClientPluginHost 0x2af6a:$x3: NanoCore.ClientPluginHost 0x32d43:$x3: NanoCore.ClientPluginHost 0x3dd2d:$x3: NanoCore.ClientPluginHost 0x49adb:$x3: NanoCore.ClientPluginHost 0x5582e:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb53b:$a: NanoCore 0xb5b7:$a: NanoCore 0xde9a:$a: NanoCore 0x13469:$a: NanoCore 0x134e3:$a: NanoCore 0x19444:$a: NanoCore 0x1948e:$a: NanoCore 0x1a0e8:$a: NanoCore 0x22eb7:$a: NanoCore 0x22fa1:$a: NanoCore 0x23e18:$a: NanoCore
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb53b:$a1: NanoCore.ClientPluginHost 0x13469:$a1: NanoCore.ClientPluginHost 0x19444:$a1: NanoCore.ClientPluginHost 0x22eb7:$a1: NanoCore.ClientPluginHost 0x2af6a:$a1: NanoCore.ClientPluginHost 0x32d43:$a1: NanoCore.ClientPluginHost 0x3dd2d:$a1: NanoCore.ClientPluginHost 0x49adb:$a1: NanoCore.ClientPluginHost 0x5582e:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5b7:$a2: NanoCore.ClientPlugin 0x134e3:$a2: NanoCore.ClientPlugin 0x1948e:$a2: NanoCore.ClientPlugin 0x22fa1:$a2: NanoCore.ClientPlugin 0x2afb4:$a2: NanoCore.ClientPlugin 0x32de3:$a2: NanoCore.ClientPlugin 0x3dd04:$a2: NanoCore.ClientPlugin 0x49ab2:$a2: NanoCore.ClientPlugin 0x55809:$a2: NanoCore.ClientPlugin 0x5581f:$b4: IClientAppHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d17:$x1: NanoCore.ClientPluginHost 0x1fb6f:$x1: NanoCore.ClientPluginHost 0x27a9d:$x1: NanoCore.ClientPluginHost 0x2da78:$x1: NanoCore.ClientPluginHost 0x374eb:$x1: NanoCore.ClientPluginHost 0x3f59e:$x1: NanoCore.ClientPluginHost 0x47377:$x1: NanoCore.ClientPluginHost 0x52361:$x1: NanoCore.ClientPluginHost 0x5e10f:$x1: NanoCore.ClientPluginHost 0x69e62:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d50:$x2: IClientNetworkHost 0x1fba8:$x2: IClientNetworkHost 0x27ad6:$x2: IClientNetworkHost 0x37648:$x2: IClientNetworkHost 0x473b0:$x2: IClientNetworkHost 0x5237b:$x2: IClientNetworkHost 0x5e129:$x2: IClientNetworkHost 0x69e9f:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d17:$x2: NanoCore.ClientPluginHost 0x1fb6f:$x2: NanoCore.ClientPluginHost 0x27a9d:$x2: NanoCore.ClientPluginHost 0x2da78:$x2: NanoCore.ClientPluginHost 0x374eb:$x2: NanoCore.ClientPluginHost 0x3f59e:$x2: NanoCore.ClientPluginHost 0x47377:$x2: NanoCore.ClientPluginHost 0x52361:$x2: NanoCore.ClientPluginHost 0x5e10f:$x2: NanoCore.ClientPluginHost 0x69e62:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x38441:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e34:$s4: PipeCreated 0x1fc73:$s4: PipeCreated 0x27bb8:$s4: PipeCreated 0x2db56:$s4: PipeCreated 0x376e1:$s4: PipeCreated 0x3f67c:$s4: PipeCreated 0x474c2:$s4: PipeCreated
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d93:$x2: NanoCore.ClientPlugin 0x1fbeb:$x2: NanoCore.ClientPlugin 0x27b17:$x2: NanoCore.ClientPlugin 0x2dac2:$x2: NanoCore.ClientPlugin 0x375d5:$x2: NanoCore.ClientPlugin 0x3f5e8:$x2: NanoCore.ClientPlugin 0x47417:$x2: NanoCore.ClientPlugin 0x52338:$x2: NanoCore.ClientPlugin 0x5e0e6:$x2: NanoCore.ClientPlugin 0x69e3d:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d17:$x3: NanoCore.ClientPluginHost 0x1fb6f:$x3: NanoCore.ClientPluginHost 0x27a9d:$x3: NanoCore.ClientPluginHost 0x2da78:$x3: NanoCore.ClientPluginHost 0x374eb:$x3: NanoCore.ClientPluginHost 0x3f59e:$x3: NanoCore.ClientPluginHost 0x47377:$x3: NanoCore.ClientPluginHost 0x52361:$x3: NanoCore.ClientPluginHost 0x5e10f:$x3: NanoCore.ClientPluginHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a5f:$a: NanoCore 0x15ab8:$a: NanoCore 0x15aeb:$a: NanoCore 0x15d17:$a: NanoCore 0x15d93:$a: NanoCore 0x163ac:$a: NanoCore 0x164f5:$a: NanoCore 0x169c9:$a: NanoCore 0x16cb0:$a: NanoCore 0x16cc7:$a: NanoCore 0x1fb6f:$a: NanoCore 0x1fbeb:$a: NanoCore 0x224ce:$a: NanoCore 0x27a9d:$a: NanoCore 0x27b17:$a: NanoCore 0x2da78:$a: NanoCore 0x2dac2:$a: NanoCore 0x2e71c:$a: NanoCore
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d17:$a1: NanoCore.ClientPluginHost 0x1fb6f:$a1: NanoCore.ClientPluginHost 0x27a9d:$a1: NanoCore.ClientPluginHost 0x2da78:$a1: NanoCore.ClientPluginHost 0x374eb:$a1: NanoCore.ClientPluginHost 0x3f59e:$a1: NanoCore.ClientPluginHost 0x47377:$a1: NanoCore.ClientPluginHost 0x52361:$a1: NanoCore.ClientPluginHost 0x5e10f:$a1: NanoCore.ClientPluginHost 0x69e62:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d93:$a2: NanoCore.ClientPlugin 0x1fbeb:$a2: NanoCore.ClientPlugin 0x27b17:$a2: NanoCore.ClientPlugin 0x2dac2:$a2: NanoCore.ClientPlugin 0x375d5:$a2: NanoCore.ClientPlugin 0x3f5e8:$a2: NanoCore.ClientPlugin 0x47417:$a2: NanoCore.ClientPlugin 0x52338:$a2: NanoCore.ClientPlugin 0x5e0e6:$a2: NanoCore.ClientPlugin
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14de5:$x1: NanoCore.ClientPluginHost 0x21f57:$x1: NanoCore.ClientPluginHost 0x2bdaf:$x1: NanoCore.ClientPluginHost 0x33cdd:$x1: NanoCore.ClientPluginHost 0x39cb8:$x1: NanoCore.ClientPluginHost 0x4372b:$x1: NanoCore.ClientPluginHost 0x4b7de:$x1: NanoCore.ClientPluginHost 0x535b7:$x1: NanoCore.ClientPluginHost 0x5e5a1:$x1: NanoCore.ClientPluginHost 0x6a34f:$x1: NanoCore.ClientPluginHost 0x760a2:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e12:$x2: IClientNetworkHost 0x21f90:$x2: IClientNetworkHost 0x2bde8:$x2: IClientNetworkHost 0x33d16:$x2: IClientNetworkHost 0x43888:$x2: IClientNetworkHost 0x535f0:$x2: IClientNetworkHost 0x5e5bb:$x2: IClientNetworkHost 0x6a369:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14de5:$x2: NanoCore.ClientPluginHost 0x21f57:$x2: NanoCore.ClientPluginHost 0x2bdaf:$x2: NanoCore.ClientPluginHost 0x33cdd:$x2: NanoCore.ClientPluginHost 0x39cb8:$x2: NanoCore.ClientPluginHost 0x4372b:$x2: NanoCore.ClientPluginHost 0x4b7de:$x2: NanoCore.ClientPluginHost 0x535b7:$x2: NanoCore.ClientPluginHost 0x5e5a1:$x2: NanoCore.ClientPluginHost 0x6a34f:$x2: NanoCore.ClientPluginHost 0x760a2:$x2: NanoCore.ClientPluginHost 0x15db4:$s2: FileCommand 0x44681:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a7b6:$s4: PipeCreated 0x22074:$s4: PipeCreated 0x2beb3:$s4: PipeCreated 0x33df8:$s4: PipeCreated 0x39d96:$s4: PipeCreated 0x43921:$s4: PipeCreated
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14dbf:$x2: NanoCore.ClientPlugin 0x21fd3:$x2: NanoCore.ClientPlugin 0x2be2b:$x2: NanoCore.ClientPlugin 0x33d57:$x2: NanoCore.ClientPlugin 0x39d02:$x2: NanoCore.ClientPlugin 0x43815:$x2: NanoCore.ClientPlugin 0x4b828:$x2: NanoCore.ClientPlugin 0x53657:$x2: NanoCore.ClientPlugin 0x5e578:$x2: NanoCore.ClientPlugin 0x6a326:$x2: NanoCore.ClientPlugin 0x7607d:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14de5:$x3: NanoCore.ClientPluginHost 0x21f57:$x3: NanoCore.ClientPluginHost 0x2bdaf:$x3: NanoCore.ClientPluginHost 0x33cdd:$x3: NanoCore.ClientPluginHost 0x39cb8:$x3: NanoCore.ClientPluginHost 0x4372b:$x3: NanoCore.ClientPluginHost 0x4b7de:$x3: NanoCore.ClientPluginHost 0x535b7:$x3: NanoCore.ClientPluginHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dbf:$a: NanoCore 0x14de5:$a: NanoCore 0x14e41:$a: NanoCore 0x21c9f:$a: NanoCore 0x21cf8:$a: NanoCore 0x21d2b:$a: NanoCore 0x21f57:$a: NanoCore 0x21fd3:$a: NanoCore 0x225ec:$a: NanoCore 0x22735:$a: NanoCore 0x22c09:$a: NanoCore 0x22ef0:$a: NanoCore 0x22f07:$a: NanoCore 0x2bdaf:$a: NanoCore 0x2be2b:$a: NanoCore 0x2e70e:$a: NanoCore 0x33cdd:$a: NanoCore 0x33d57:$a: NanoCore
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14de5:$a1: NanoCore.ClientPluginHost 0x21f57:$a1: NanoCore.ClientPluginHost 0x2bdaf:$a1: NanoCore.ClientPluginHost 0x33cdd:$a1: NanoCore.ClientPluginHost 0x39cb8:$a1: NanoCore.ClientPluginHost 0x4372b:$a1: NanoCore.ClientPluginHost 0x4b7de:$a1: NanoCore.ClientPluginHost 0x535b7:$a1: NanoCore.ClientPluginHost 0x5e5a1:$a1: NanoCore.ClientPluginHost 0x6a34f:$a1: NanoCore.ClientPluginHost 0x760a2:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14dbf:$a2: NanoCore.ClientPlugin 0x21fd3:$a2: NanoCore.ClientPlugin 0x2be2b:$a2: NanoCore.ClientPlugin 0x33d57:$a2: NanoCore.ClientPlugin 0x39d02:$a2: NanoCore.ClientPlugin 0x43815:$a2: NanoCore.ClientPlugin 0x4b828:$a2: NanoCore.ClientPlugin 0x53657:$a2: NanoCore.ClientPlugin
Click to see the 77 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, ProcessId: 5368, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 213.152.161.85 - Destination IP: 192.168.2.3

Timestamp:	213.152.161.85192.168.2.36755497052810290 02/04/23-04:02:37.885591
SID:	2810290
Source Port:	6755
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970067552816718 02/04/23-04:02:18.413039
SID:	2816718
Source Port:	49700
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971167552816766 02/04/23-04:03:22.114925
SID:	2816766
Source Port:	49711
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970867552816766 02/04/23-04:02:58.659576
SID:	2816766
Source Port:	49708
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971367552816766 02/04/23-04:03:34.873002
SID:	2816766
Source Port:	49713
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971367552816718 02/04/23-04:03:32.601666
SID:	2816718
Source Port:	49713
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971667552816766 02/04/23-04:03:58.093532
SID:	2816766
Source Port:	49716
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 213.152.161.85 - Destination IP: 192.168.2.3

Timestamp:	213.152.161.85192.168.2.36755497122841753 02/04/23-04:03:27.123757
SID:	2841753
Source Port:	6755
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 213.152.161.85 - Destination IP: 192.168.2.3

Timestamp:	213.152.161.85192.168.2.36755497032841753 02/04/23-04:02:24.159041
SID:	2841753
Source Port:	6755
Destination Port:	49703
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970567552816766 02/04/23-04:02:38.804523
SID:	2816766
Source Port:	49705
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971567552816766 02/04/23-04:03:50.787453
SID:	2816766
Source Port:	49715
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970767552816766 02/04/23-04:02:51.380389
SID:	2816766
Source Port:	49707
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970367552816766 02/04/23-04:02:24.379082
SID:	2816766
Source Port:	49703
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970967552816766 02/04/23-04:03:05.988800
SID:	2816766
Source Port:	49709
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971267552816766 02/04/23-04:03:27.448220
SID:	2816766
Source Port:	49712
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971767552816766 02/04/23-04:04:04.561310
SID:	2816766
Source Port:	49717
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 213.152.161.85 - Destination IP: 192.168.2.3

Timestamp:	213.152.161.85192.168.2.36755497112841753 02/04/23-04:03:22.044641
SID:	2841753
Source Port:	6755
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970067552816766 02/04/23-04:02:19.457207
SID:	2816766
Source Port:	49700
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970667552816766 02/04/23-04:02:45.198697
SID:	2816766
Source Port:	49706
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971467552816766 02/04/23-04:03:42.744453
SID:	2816766
Source Port:	49714
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970467552816766 02/04/23-04:02:30.984485
SID:	2816766
Source Port:	49704
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971067552816766 02/04/23-04:03:16.374407
SID:	2816766
Source Port:	49710
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	ReversingLabs: Detection: 44%
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Virustotal: Detection: 56%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Avira: detected

Antivirus detection for URL or domain

Source: servicepoint.duckdns.org

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: servicepoint.duckdns.org	Virustotal: Detection: 11%			Perma Link
Source: servicepoint.duckdns.org	Virustotal: Detection: 11%			Perma Link

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Avira: detection malicious, Label: HEUR/AGEN.1202424

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 44%
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 56%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR

Machine Learning detection for sample

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b210040d-15e5-44d6-9102-34199926", "Group": "Default", "Domain1": "servicepoint.duckdns.org", "Domain2": "", "Port": 6755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49700 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49700 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49703 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 213.152.161.85:6755 -> 192.168.2.3:49703
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49704 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49705 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 213.152.161.85:6755 -> 192.168.2.3:49705
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49706 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49707 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49708 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49709 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49710 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49711 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 213.152.161.85:6755 -> 192.168.2.3:49711
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 213.152.161.85:6755 -> 192.168.2.3:49712
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49712 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49713 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49713 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49714 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49715 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49716 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49717 -> 213.152.161.85:6755

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: servicepoint.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: servicepoint.duckdns.org

Source: Joe Sandbox View

ASN Name: GLOBALLAYERNL GLOBALLAYERNL

Source: Joe Sandbox View

IP Address: 213.152.161.85 213.152.161.85

Source: global traffic

TCP traffic: 192.168.2.3:49700 -> 213.152.161.85:6755

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://google.com

Source: unknown

DNS traffic detected: queries for: servicepoint.duckdns.org

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

PE file has nameless sections

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: section name:
Source: dhcpmon.exe.1.dr	Static PE information: section name:

PE file contains section with special chars

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: section name: 4SUP}s
Source: dhcpmon.exe.1.dr	Static PE information: section name: 4SUP}s

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, type: SAMPLE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.0.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.e0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951C20
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049515E9
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950E00
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950A58
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951C11
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951005
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495080A
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951052
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495084C
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950463
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950592
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495018E
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950DD1
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495015E
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950565
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049506A8
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049502D4
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049502C2
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049506E0
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950231
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495023C
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950388
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049507A7
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049507D5
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049503F0
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04A173F6
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A2FA8
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A23A0
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A8798
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033AAE38
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A3850
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A9398
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A306F
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A945F
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A9C40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960A58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960E00
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02961C20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029602D4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029602C2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960231
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296023C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960388
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029603F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02961005
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296080A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02961052
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296084C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296018E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296015E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029606A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029606E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029607A7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029607D5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960C40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960463
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960592
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960565
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_05267330
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_05267320

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: Section: 4SUP}s ZLIB complexity 1.000383148923445
Source: dhcpmon.exe.1.dr	Static PE information: Section: 4SUP}s ZLIB complexity 1.000383148923445

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	ReversingLabs: Detection: 44%
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File read: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_00A8B00E AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_00A8AFD7 AdjustTokenPrivileges,
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_00DCB4CA AdjustTokenPrivileges,
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_00DCB493 AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/8@16/2

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\???????
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b210040d-15e5-44d6-9102-34199926a203}

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Code function: 2_2_051A6E30 pushad ; retf

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: section name: 4SUP}s
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: section name:
Source: dhcpmon.exe.1.dr	Static PE information: section name: 4SUP}s
Source: dhcpmon.exe.1.dr	Static PE information: section name:

Source: initial sample	Static PE information: section name: 4SUP}s entropy: 7.998441047887134
Source: initial sample	Static PE information: section name: 4SUP}s entropy: 7.998441047887134

Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File opened: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 5552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 5296	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 5320	Thread sleep time: -1520000s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 628	Thread sleep time: -40000s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5216	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Window / User API: foregroundWindowGot 825
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Window / User API: foregroundWindowGot 769

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Code function: 0_2_04952411 LdrInitializeThunk,

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Memory written: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.513465450.0000000001583000.00000004.00000020.00020000.00000000.sdmp, HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.352138949.000000000159A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerl
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.380630900.000000000154C000.00000004.00000020.00020000.00000000.sdmp, HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.319503227.0000000001541000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager$:

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	2 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	112 Process Injection	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	112 Process Injection	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Obfuscated Files or Information	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	12 Software Packing	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Bulz
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	57%	Virustotal		Browse
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	100%	Avira	HEUR/AGEN.1202424
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	HEUR/AGEN.1202424
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Bulz
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	57%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1208316		Download File
0.0.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.e0000.0.unpack	100%	Avira	HEUR/AGEN.1202424		Download File

Domains

Source	Detection	Scanner	Label	Link
servicepoint.duckdns.org	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
servicepoint.duckdns.org	100%	Avira URL Cloud	malware
servicepoint.duckdns.org	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
servicepoint.duckdns.org	213.152.161.85	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
servicepoint.duckdns.org	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com	HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.152.161.85	servicepoint.duckdns.org	Netherlands		49453	GLOBALLAYERNL	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	798399
Start date and time:	2023-02-04 04:01:07 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/8@16/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 93.184.221.240, 209.197.3.8
Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net
Execution Graph export aborted for target HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, PID 5368 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:02:01	API Interceptor	838x Sleep call for process: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe modified
04:02:03	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
04:02:14	API Interceptor	1x Sleep call for process: dhcpmon.exe modified

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	924672
Entropy (8bit):	6.4582092585373525
Encrypted:	false
SSDEEP:	12288:pLYT+m0qD8CEULAfPpIuG1JZnXiGDyQics5Ec0Y7JOfEhvlQd9DiTsOzLnWIKBlK:pE+K4ozvtYpjsBhX
MD5:	8C4F47A96A1F9F58AB28A2353627C153
SHA1:	4E7E9F7C7D630E2406FE76AD1576D35A773E9E06
SHA-256:	E1CFEEAABCFA9339523FAE340820F04895C7A8332B806FD4E813343516928DDE
SHA-512:	E251A5109139F7440F9E515F8132DC4116E59E29A0CDD2C9FC2DF2EE70B975EB6F8C1E373E5401C0B39A4D8BA9894EA3CCC7645E2C314214D787DFFF28D28478
Malicious:	true
Yara Hits:	Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Arnim Rupp
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45% Antivirus: Virustotal, Detection: 57%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.X.....................P............... ....@.. ...............................'....@.................................`...K....... ...............................................................................................H...........4SU.P.}s..... ......................@....text...H........................... ..`.rsrc... ............l..............@..@.reloc..............................@..B.................................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.log

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
MD5:	80EFBEC081D7836D240503C4C9465FEC
SHA1:	6AF398E08A359457083727BAF296445030A55AC3
SHA-256:	C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
SHA-512:	DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	5.285418593366258
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2+gYhD5iv:MLF20NaL3z2p29hJ5g522rW2+g2+
MD5:	63CC04E8E9DBE6842611C2E6E948F8FA
SHA1:	61F604AF4DABFEC36C39555FE4A32D1D6417927C
SHA-256:	0EDC65EF06683A15D2C8B6A455F8A29B29AE729069096A060D6C75E12AB0EB60
SHA-512:	57A4B08AEC6F1663C50AFF9259EEBFA50CCE8C4B406555E8522DCCF1E0DA03DA3686AE8208045D4ADC574396B9D8AD87B6C0D64FACE82AC913D2EBEC9A11700E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	data
Category:	dropped
Size (bytes):	248
Entropy (8bit):	7.094528505897445
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7r3l3TmKEt5mT1DhFtMhXvvHOxHB3GDq:X4LEnybgCFCtvd7bl3ThE4T19FtMhXvs
MD5:	061E700FE27D852034A5A44BF5985CCF
SHA1:	15B072DE6D6FDD92AE36F074345FA41985833E8D
SHA-256:	4BBB88AF530693EB4A710B0591D4BAF585837242C5690F5A821BF2FC9CC587CD
SHA-512:	CF6C5458AB50C859740490985D1E7E887D1116F3FA947FF2EC49AF9997A42F3402C63EF42B93498544195D9859FBB19CCC295966564B30F5ADB4A36D4E8886C6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..O*V..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.w

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:nS:nS
MD5:	936600CAA6F0F7229FF1F3E8F92BE5EB
SHA1:	311583C4CA7235B76A80EBF66DABB67119877474
SHA-256:	2632A97CC041EF4110299290C537C046021994E5A5C0E5970D6C6A7E11F917CD
SHA-512:	247551FBCD4BD20952910B2B33BDA3674558D71A24C16B8F9162CCC8D032CB0E7CFA0C85EC63E12200D46ACDECD5484BBB3653B64CABDE1538F8B2BB2CB1AA0E
Malicious:	true
Preview:	......H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	data
Category:	dropped
Size (bytes):	433688
Entropy (8bit):	7.999519077450246
Encrypted:	true
SSDEEP:	12288:dcRKtiKlC1FGhWjoORvi5oCILR9Eax5uoj:KRCiKECCGoD9Eaioj
MD5:	D2D87B1E9F691E38698A9683C9E213C1
SHA1:	87FAA25A212348CCD20567929D52A0ADE5BE07CE
SHA-256:	4115C31136A8A8F4642D3F5E7032A248381FCF36B047CFD911F974600F140039
SHA-512:	541F3C4C9CA97C085065FA5881D9A336F0BE474C90D1C65379CA7CB7F084B6496ED52A61F9133FD29DE5DB57C2B1F2CC302498579C5A158F823612EAC248C5DC
Malicious:	false
Preview:	.........O.......\8..5N..`S.]..[r.$>.\.#v&..$.......Z.i..M.Mn5.@..@...3.R..Y...}>C.b....Z........K..^.d...Z...K.#...dn$e ..XP.^.#.......V...dB.Kn.Y.c..-k....M.D...Q.S..R.X.........._...Zz...#.=<.V.NHZq.h..ON..oq.:...,7H....../..Q..R.u6.."....<.`..z.5b($..9.CF.F1...o?.h.}....;Ay....kL}7...I.-.}..D&...C....%.J..+..1.5.a..Ih....s........G..?..9^0e...p..FCvNt.e...B/...y.h.G.0..o,Q.2[..........e.P8.....yr.....Q....../..S..m.......\.wA.a1.]...oW........PY..h....f:.....Ss.....\.8...@R._A...M..X....V.f).]z..u{.z-....W...NaT+.&:...1.D../.7..\.S..z..!.....#..F.d.......m'..........6.2....:H...bd].._......}.n.=...l.7%r.>...B.Q.K..q...Ex.6.6....P..^...i...Mx...;g...,t..fCd.\.b....e{.\...Y=4......+..T....j}..\|66g.s...z...Y.kTi..?Xy...5\...SO..W.U.3A.$.l..{.D...no.E..v.2.:..a..hdhO..t.w.k..T\|Po.....D?..mG.[.2.;....+...8.6.h!..w.3...w.o.....\|....f.v.to.B.{`o..a.....f.cu..........?......"...u..EA...^)W..z..jtU{^......5#....y.s.......e.l..&...%...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.4582092585373525
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File size:	924672
MD5:	8c4f47a96a1f9f58ab28a2353627c153
SHA1:	4e7e9f7c7d630e2406fe76ad1576d35a773e9e06
SHA256:	e1cfeeaabcfa9339523fae340820f04895c7a8332b806fd4e813343516928dde
SHA512:	e251a5109139f7440f9e515f8132dc4116e59e29a0cdd2c9fc2df2ee70b975eb6f8c1e373e5401c0b39a4d8ba9894ea3ccc7645e2c314214d787dfff28d28478
SSDEEP:	12288:pLYT+m0qD8CEULAfPpIuG1JZnXiGDyQics5Ec0Y7JOfEhvlQd9DiTsOzLnWIKBlK:pE+K4ozvtYpjsBhX
TLSH:	6C15FF9835203E9ECC5FC471DB791FE49E137E66430AC1D3643B29A9BA9C486CE543A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.X.....................P............... ....@.. ...............................'....@................................

File Icon


Icon Hash:	f0d6e66799bcc678

Static PE Info

General

Entrypoint:	0x4ea00a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x58016ADD [Fri Oct 14 23:31:41 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004EA000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e860	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x5ab20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xea000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x1e000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
4SUP}s	0x2000	0x1a110	0x1a200	False	1.000383148923445	data	7.998441047887134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x1e000	0x6c448	0x6c600	False	0.6105757100634371	data	6.673125048528245	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x5ab20	0x5ac00	False	0.11296918044077135	data	4.047706271353626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe8000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xea000	0x10	0x200	False	0.046875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x8c1d8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144
RT_ICON	0xce200	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536
RT_ICON	0xdea28	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384
RT_ICON	0xe2c50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216
RT_ICON	0xe51f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_ICON	0xe62a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024
RT_GROUP_ICON	0xe6708	0x5a	data
RT_VERSION	0xe6764	0x3bc	data	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
213.152.161.85192.168.2.36755497052810290 02/04/23-04:02:37.885591	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	6755	49705	213.152.161.85	192.168.2.3
192.168.2.3213.152.161.854970067552816718 02/04/23-04:02:18.413039	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49700	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971167552816766 02/04/23-04:03:22.114925	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49711	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970867552816766 02/04/23-04:02:58.659576	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49708	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971367552816766 02/04/23-04:03:34.873002	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49713	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971367552816718 02/04/23-04:03:32.601666	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49713	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971667552816766 02/04/23-04:03:58.093532	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49716	6755	192.168.2.3	213.152.161.85
213.152.161.85192.168.2.36755497122841753 02/04/23-04:03:27.123757	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6755	49712	213.152.161.85	192.168.2.3
213.152.161.85192.168.2.36755497032841753 02/04/23-04:02:24.159041	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6755	49703	213.152.161.85	192.168.2.3
192.168.2.3213.152.161.854970567552816766 02/04/23-04:02:38.804523	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49705	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971567552816766 02/04/23-04:03:50.787453	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49715	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970767552816766 02/04/23-04:02:51.380389	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49707	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970367552816766 02/04/23-04:02:24.379082	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49703	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970967552816766 02/04/23-04:03:05.988800	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49709	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971267552816766 02/04/23-04:03:27.448220	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49712	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971767552816766 02/04/23-04:04:04.561310	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49717	6755	192.168.2.3	213.152.161.85
213.152.161.85192.168.2.36755497112841753 02/04/23-04:03:22.044641	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6755	49711	213.152.161.85	192.168.2.3
192.168.2.3213.152.161.854970067552816766 02/04/23-04:02:19.457207	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49700	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970667552816766 02/04/23-04:02:45.198697	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49706	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971467552816766 02/04/23-04:03:42.744453	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49714	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970467552816766 02/04/23-04:02:30.984485	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49704	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971067552816766 02/04/23-04:03:16.374407	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49710	6755	192.168.2.3	213.152.161.85

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2023 04:02:04.611284971 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:07.613686085 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:13.629790068 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:15.676836967 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:15.680389881 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.111125946 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.205787897 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.205946922 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.322611094 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.322686911 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.392013073 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.420710087 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.528934002 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.529026031 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.638359070 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.658832073 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.666656017 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.666857958 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.673273087 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.681354046 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.681562901 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.688656092 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.696311951 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.696590900 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.703542948 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.711205959 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.711426973 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.719104052 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.726268053 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.726416111 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.739782095 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.747046947 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.747176886 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.754599094 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.761791945 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.761902094 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.770402908 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.777575970 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.777683020 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.785461903 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.792680979 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.792895079 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.801043034 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.808748007 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.809031010 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.816339016 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.823241949 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.823446989 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.832508087 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.839982986 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.840135098 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.846998930 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.854598999 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.854706049 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.861953974 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.869898081 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.870024920 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.877110958 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.884836912 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.884959936 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.913599968 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.921849012 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.922086954 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.929075003 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.937515974 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.937809944 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.944855928 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.952564001 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.952915907 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.960236073 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.967772961 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.967920065 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.975361109 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.983282089 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.983412981 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.991182089 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.998938084 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.999104023 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.006727934 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.014380932 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.014542103 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.022173882 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.029648066 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.029809952 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.037746906 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.045418978 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.045552015 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.053241968 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.060940981 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.061116934 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.069979906 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.077694893 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.077814102 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.085335016 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.093101978 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.093220949 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.100375891 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.108539104 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.108741999 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.116328955 CET	6755	49700	213.152.161.85	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2023 04:02:04.475367069 CET	49977	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:04.585163116 CET	53	49977	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:23.751883030 CET	57990	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:23.861915112 CET	53	57990	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:28.712673903 CET	52387	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:28.820549965 CET	53	52387	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:36.860551119 CET	56924	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:36.968187094 CET	53	56924	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:43.029052019 CET	60625	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:43.047238111 CET	53	60625	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:49.385057926 CET	49302	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:49.403115034 CET	53	49302	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:56.138262987 CET	53975	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:56.245413065 CET	53	53975	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:03.168420076 CET	51139	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:03.277697086 CET	53	51139	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:11.669126034 CET	52955	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:11.687891960 CET	53	52955	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:21.697429895 CET	60582	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:21.804183006 CET	53	60582	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:26.464158058 CET	57134	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:26.572953939 CET	53	57134	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:32.089087009 CET	62050	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:32.199491024 CET	53	62050	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:39.334427118 CET	56042	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:39.441394091 CET	53	56042	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:48.096045971 CET	59636	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:48.114181042 CET	53	59636	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:55.169281006 CET	55638	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:55.187141895 CET	53	55638	8.8.8.8	192.168.2.3
Feb 4, 2023 04:04:02.506531954 CET	57704	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:04:02.526576996 CET	53	57704	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 4, 2023 04:02:04.475367069 CET	192.168.2.3	8.8.8.8	0x38ce	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:23.751883030 CET	192.168.2.3	8.8.8.8	0xe29d	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:28.712673903 CET	192.168.2.3	8.8.8.8	0x6bc8	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:36.860551119 CET	192.168.2.3	8.8.8.8	0x1fc4	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:43.029052019 CET	192.168.2.3	8.8.8.8	0x9b90	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:49.385057926 CET	192.168.2.3	8.8.8.8	0xe464	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:56.138262987 CET	192.168.2.3	8.8.8.8	0x1c8c	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:03.168420076 CET	192.168.2.3	8.8.8.8	0xd889	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:11.669126034 CET	192.168.2.3	8.8.8.8	0x1f72	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:21.697429895 CET	192.168.2.3	8.8.8.8	0x3bb2	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:26.464158058 CET	192.168.2.3	8.8.8.8	0x4477	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:32.089087009 CET	192.168.2.3	8.8.8.8	0x6db4	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:39.334427118 CET	192.168.2.3	8.8.8.8	0xc4e7	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:48.096045971 CET	192.168.2.3	8.8.8.8	0x4382	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:55.169281006 CET	192.168.2.3	8.8.8.8	0x4de6	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:04:02.506531954 CET	192.168.2.3	8.8.8.8	0x627a	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 4, 2023 04:02:04.585163116 CET	8.8.8.8	192.168.2.3	0x38ce	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:23.861915112 CET	8.8.8.8	192.168.2.3	0xe29d	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:28.820549965 CET	8.8.8.8	192.168.2.3	0x6bc8	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:36.968187094 CET	8.8.8.8	192.168.2.3	0x1fc4	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:43.047238111 CET	8.8.8.8	192.168.2.3	0x9b90	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:49.403115034 CET	8.8.8.8	192.168.2.3	0xe464	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:56.245413065 CET	8.8.8.8	192.168.2.3	0x1c8c	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:03.277697086 CET	8.8.8.8	192.168.2.3	0xd889	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:11.687891960 CET	8.8.8.8	192.168.2.3	0x1f72	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:21.804183006 CET	8.8.8.8	192.168.2.3	0x3bb2	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:26.572953939 CET	8.8.8.8	192.168.2.3	0x4477	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:32.199491024 CET	8.8.8.8	192.168.2.3	0x6db4	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:39.441394091 CET	8.8.8.8	192.168.2.3	0xc4e7	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:48.114181042 CET	8.8.8.8	192.168.2.3	0x4382	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:55.187141895 CET	8.8.8.8	192.168.2.3	0x4de6	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:04:02.526576996 CET	8.8.8.8	192.168.2.3	0x627a	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:01:59
Start date:	04/02/2023
Path:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Imagebase:	0xe0000
File size:	924672 bytes
MD5 hash:	8C4F47A96A1F9F58AB28A2353627C153
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exePID: 5368, Parent PID: 4864

General

Target ID:	1
Start time:	04:02:01
Start date:	04/02/2023
Path:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Imagebase:	0xde0000
File size:	924672 bytes
MD5 hash:	8C4F47A96A1F9F58AB28A2353627C153
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: NanoCore, Description: unknown, Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: dhcpmon.exePID: 5240, Parent PID: 3452

General

Target ID:	2
Start time:	04:02:11
Start date:	04/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x610000
File size:	924672 bytes
MD5 hash:	8C4F47A96A1F9F58AB28A2353627C153
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Arnim Rupp
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs Detection: 57%, Virustotal, Browse
Reputation:	low

Analysis Process: dhcpmon.exePID: 5168, Parent PID: 5240

General

Target ID:	3
Start time:	04:02:15
Start date:	04/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:
File size:	924672 bytes
MD5 hash:	8C4F47A96A1F9F58AB28A2353627C153
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

⊘No disassembly

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000000.245601499.000000000016C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameProcexp.exeB vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.252344344.0000000004CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamedll.exe4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000003.248416107.0000000003825000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedll.exe4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.252420555.000000000150C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProcexp.exeB vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Binary or memory string: OriginalFilenameProcexp.exeB vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Static File Info

Windows Analysis Report
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe