Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mfpmp.exe

Overview

General Information

Sample Name:mfpmp.exe
Analysis ID:880358
MD5:475b4814a0b6114c76ea55c7447b6108
SHA1:d9cb6110591e7fb53a29ee7c8efd2c7132b3a426
SHA256:10feb93ebdb8dd942d6b7a878d1ee3920584e89cdead6e34ae8292bfb1916116
Tags:exeNanoCore
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Machine Learning detection for sample
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports

Classification

Process Tree

  • System is w10x64
  • mfpmp.exe (PID: 6504 cmdline: C:\Users\user\Desktop\mfpmp.exe MD5: 475B4814A0B6114C76EA55C7447B6108)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8507-1300-000c0a4c", "Group": "Default", "Domain1": "dinowar.anondns.net", "Domain2": "dinowar.dynv6.net", "Port": 21942, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 4997, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "1a000100", "MaxPacketSize": "0000a000", "GCThreshold": "f4ff9f00", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
mfpmp.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
mfpmp.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
mfpmp.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    mfpmp.exeMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xfef5:$x1: NanoCore Client
    • 0xff05:$x1: NanoCore Client
    • 0x1014d:$x2: NanoCore.ClientPlugin
    • 0x1018d:$x3: NanoCore.ClientPluginHost
    • 0x10142:$i1: IClientApp
    • 0x10163:$i2: IClientData
    • 0x1016f:$i3: IClientNetwork
    • 0x1017e:$i4: IClientAppHost
    • 0x101a7:$i5: IClientDataHost
    • 0x101b7:$i6: IClientLoggingHost
    • 0x101ca:$i7: IClientNetworkHost
    • 0x101dd:$i8: IClientUIHost
    • 0x101eb:$i9: IClientNameObjectCollection
    • 0x10207:$i10: IClientReadOnlyNameObjectCollection
    • 0xff54:$s1: ClientPlugin
    • 0x10156:$s1: ClientPlugin
    • 0x1064a:$s2: EndPoint
    • 0x10653:$s3: IPAddress
    • 0x1065d:$s4: IPEndPoint
    • 0x12093:$s6: get_ClientSettings
    • 0x12637:$s7: get_Connected
    mfpmp.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    Click to see the 1 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0xff8d:$a1: NanoCore.ClientPluginHost
      • 0xff4d:$a2: NanoCore.ClientPlugin
      • 0x11ea6:$b1: get_BuilderSettings
      • 0xfda9:$b2: ClientLoaderForm.resources
      • 0x115c6:$b3: PluginCommand
      • 0xff7e:$b4: IClientAppHost
      • 0x1a3fe:$b5: GetBlockHash
      • 0x124fe:$b6: AddHostEntry
      • 0x161f1:$b7: LogClientException
      • 0x1246b:$b8: PipeExists
      • 0xffb7:$b9: IClientLoggingHost
      00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x11591:$a1: NanoCore.ClientPluginHost
      • 0x16bde:$a1: NanoCore.ClientPluginHost
      • 0x11554:$a2: NanoCore.ClientPlugin
      • 0x16c28:$a2: NanoCore.ClientPlugin
      • 0x11928:$b1: get_BuilderSettings
      • 0x115df:$b4: IClientAppHost
      • 0x11999:$b6: AddHostEntry
      • 0x11a08:$b7: LogClientException
      • 0x1197d:$b8: PipeExists
      • 0x115cc:$b9: IClientLoggingHost
      • 0x16bf8:$b9: IClientLoggingHost
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.mfpmp.exe.29a171c.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0x40c2:$x1: NanoCore.ClientPluginHost
      0.2.mfpmp.exe.29a171c.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
      • 0x40c2:$x2: NanoCore.ClientPluginHost
      • 0x41a0:$s4: PipeCreated
      • 0x40dc:$s5: IClientLoggingHost
      0.2.mfpmp.exe.29a171c.1.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0x410c:$x2: NanoCore.ClientPlugin
      • 0x40c2:$x3: NanoCore.ClientPluginHost
      • 0x4122:$i3: IClientNetwork
      • 0x40dc:$i6: IClientLoggingHost
      • 0x3e5b:$s1: ClientPlugin
      • 0x4115:$s1: ClientPlugin
      0.2.mfpmp.exe.29a171c.1.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x40c2:$a1: NanoCore.ClientPluginHost
      • 0x410c:$a2: NanoCore.ClientPlugin
      • 0x40dc:$b9: IClientLoggingHost
      0.2.mfpmp.exe.3a019a0.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      Click to see the 51 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\mfpmp.exe, ProcessId: 6504, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\mfpmp.exe, ProcessId: 6504, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\mfpmp.exe, ProcessId: 6504, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\mfpmp.exe, ProcessId: 6504, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      Timestamp:192.168.2.5213.152.161.4049726219422816766 06/02/23-03:15:58.229871
      SID:2816766
      Source Port:49726
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049725219422816766 06/02/23-03:15:46.918356
      SID:2816766
      Source Port:49725
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049727219422816766 06/02/23-03:16:05.832874
      SID:2816766
      Source Port:49727
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049714219422816766 06/02/23-03:14:23.945597
      SID:2816766
      Source Port:49714
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049716219422816766 06/02/23-03:14:38.958735
      SID:2816766
      Source Port:49716
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049724219422816766 06/02/23-03:15:41.133556
      SID:2816766
      Source Port:49724
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049728219422816766 06/02/23-03:16:14.874731
      SID:2816766
      Source Port:49728
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049713219422816766 06/02/23-03:14:17.578597
      SID:2816766
      Source Port:49713
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049717219422816766 06/02/23-03:14:46.659916
      SID:2816766
      Source Port:49717
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049715219422816766 06/02/23-03:14:32.676847
      SID:2816766
      Source Port:49715
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049723219422025019 06/02/23-03:15:30.905805
      SID:2025019
      Source Port:49723
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049722219422816766 06/02/23-03:15:18.909197
      SID:2816766
      Source Port:49722
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049713219422025019 06/02/23-03:14:16.340330
      SID:2025019
      Source Port:49713
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049714219422025019 06/02/23-03:14:22.701480
      SID:2025019
      Source Port:49714
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049724219422025019 06/02/23-03:15:38.625540
      SID:2025019
      Source Port:49724
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049725219422025019 06/02/23-03:15:46.516736
      SID:2025019
      Source Port:49725
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049721219422816766 06/02/23-03:15:11.972977
      SID:2816766
      Source Port:49721
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049723219422816766 06/02/23-03:15:32.602475
      SID:2816766
      Source Port:49723
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049715219422025019 06/02/23-03:14:29.058470
      SID:2025019
      Source Port:49715
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049726219422025019 06/02/23-03:15:56.130210
      SID:2025019
      Source Port:49726
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049728219422025019 06/02/23-03:16:12.322829
      SID:2025019
      Source Port:49728
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049717219422025019 06/02/23-03:14:45.071339
      SID:2025019
      Source Port:49717
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049718219422025019 06/02/23-03:14:54.530247
      SID:2025019
      Source Port:49718
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:213.152.161.40192.168.2.521942497252841753 06/02/23-03:15:53.656106
      SID:2841753
      Source Port:21942
      Destination Port:49725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049716219422025019 06/02/23-03:14:38.559097
      SID:2025019
      Source Port:49716
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049727219422025019 06/02/23-03:16:05.006045
      SID:2025019
      Source Port:49727
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049719219422025019 06/02/23-03:15:01.548154
      SID:2025019
      Source Port:49719
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049722219422025019 06/02/23-03:15:17.333804
      SID:2025019
      Source Port:49722
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049721219422025019 06/02/23-03:15:10.736542
      SID:2025019
      Source Port:49721
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049718219422816766 06/02/23-03:14:55.770847
      SID:2816766
      Source Port:49718
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5213.152.161.4049719219422816766 06/02/23-03:15:03.125668
      SID:2816766
      Source Port:49719
      Destination Port:21942
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8507-1300-000c0a4c", "Group": "Default", "Domain1": "dinowar.anondns.net", "Domain2": "dinowar.dynv6.net", "Port": 21942, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 4997, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "1a000100", "MaxPacketSize": "0000a000", "GCThreshold": "f4ff9f00", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for submitted file
      Source: mfpmp.exeReversingLabs: Detection: 97%
      Source: mfpmp.exeVirustotal: Detection: 87%Perma Link
      Antivirus / Scanner detection for submitted sample
      Source: mfpmp.exeAvira: detected
      Antivirus detection for URL or domain
      Source: dinowar.anondns.netAvira URL Cloud: Label: malware
      Source: dinowar.dynv6.netAvira URL Cloud: Label: malware
      Yara detected Nanocore RAT
      Source: Yara matchFile source: mfpmp.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mfpmp.exe PID: 6504, type: MEMORYSTR
      Machine Learning detection for sample
      Source: mfpmp.exeJoe Sandbox ML: detected
      Source: mfpmp.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\mfpmp.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb0 source: mfpmp.exe, 00000000.00000002.655964464.0000000000B92000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: mfpmp.exe, 00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb(X source: mfpmp.exe, 00000000.00000003.616013627.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdb# source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .pdbmscorlibsymbols\dll\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: iC:\Windows\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbH source: mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 4x nop then mov esp, ebp

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49713 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49713 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49714 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49714 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49715 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49715 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49716 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49716 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49717 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49717 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49718 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49718 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49719 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49719 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49721 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49722 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49723 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49724 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49725 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49725 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 213.152.161.40:21942 -> 192.168.2.5:49725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49726 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49726 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49727 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 213.152.161.40:21942
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49728 -> 213.152.161.40:21942
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: dinowar.anondns.net
      Source: Malware configuration extractorURLs: dinowar.dynv6.net
      Source: Joe Sandbox ViewASN Name: GLOBALLAYERNL GLOBALLAYERNL
      Source: global trafficTCP traffic: 192.168.2.5:49713 -> 213.152.161.40:21942
      Source: unknownDNS traffic detected: queries for: dinowar.anondns.net
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04B02D0A WSARecv,
      Source: mfpmp.exe, 00000000.00000002.655964464.0000000000AEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: mfpmp.exe, 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: mfpmp.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mfpmp.exe PID: 6504, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: mfpmp.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: mfpmp.exe, type: SAMPLEMatched rule: Detects NanoCore Author: ditekSHen
      Source: mfpmp.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: mfpmp.exe, type: SAMPLEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.29a171c.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.29a171c.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.29a171c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.4cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.4cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.4cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.51f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.51f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.51f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.29a171c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.29a171c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.29a171c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.mfpmp.exe.29a6598.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0.2.mfpmp.exe.29a6598.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.mfpmp.exe.29a6598.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: mfpmp.exe PID: 6504, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: mfpmp.exe PID: 6504, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: mfpmp.exe PID: 6504, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: mfpmp.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: mfpmp.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: mfpmp.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: mfpmp.exe, type: SAMPLEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: mfpmp.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: mfpmp.exe, type: SAMPLEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.29a171c.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.29a171c.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.29a171c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.29a171c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.4cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.4cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.4cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.4cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.51f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.51f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.51f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.51f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.29a171c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.29a171c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.29a171c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.29a171c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.mfpmp.exe.29a6598.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.29a6598.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.mfpmp.exe.29a6598.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.mfpmp.exe.29a6598.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: mfpmp.exe PID: 6504, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: mfpmp.exe PID: 6504, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: mfpmp.exe PID: 6504, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04AA9248
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04AA8648
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04AA2FA8
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04AA23A0
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04AAAF18
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04AA306F
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04AA930F
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04B01642 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04B01607 NtQuerySystemInformation,
      Source: mfpmp.exe, 00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs mfpmp.exe
      Source: mfpmp.exe, 00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs mfpmp.exe
      Source: mfpmp.exe, 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs mfpmp.exe
      Source: mfpmp.exe, 00000000.00000002.655964464.0000000000AEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs mfpmp.exe
      Source: mfpmp.exe, 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs mfpmp.exe
      Source: mfpmp.exe, 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs mfpmp.exe
      Source: mfpmp.exe, 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs mfpmp.exe
      Source: mfpmp.exe, 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs mfpmp.exe
      Source: mfpmp.exe, 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs mfpmp.exe
      Source: mfpmp.exe, 00000000.00000002.667851771.0000000005210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs mfpmp.exe
      Source: mfpmp.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9965897817460317
      Source: mfpmp.exeReversingLabs: Detection: 97%
      Source: mfpmp.exeVirustotal: Detection: 87%
      Source: C:\Users\user\Desktop\mfpmp.exeFile read: C:\Users\user\Desktop\mfpmp.exeJump to behavior
      Source: mfpmp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\mfpmp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\mfpmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04B01402 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04B013CB AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\mfpmp.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@18/1
      Source: mfpmp.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: mfpmp.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: mfpmp.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Users\user\Desktop\mfpmp.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\mfpmp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\mfpmp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\mfpmp.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{281c27a0-1581-470a-8274-eb0265aada3d}
      Source: C:\Users\user\Desktop\mfpmp.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: mfpmp.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: mfpmp.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: mfpmp.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\Desktop\mfpmp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: C:\Users\user\Desktop\mfpmp.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: mfpmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb0 source: mfpmp.exe, 00000000.00000002.655964464.0000000000B92000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: mfpmp.exe, 00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb(X source: mfpmp.exe, 00000000.00000003.616013627.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdb# source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .pdbmscorlibsymbols\dll\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: iC:\Windows\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: mfpmp.exe, 00000000.00000002.655440986.00000000008A5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbH source: mfpmp.exe, 00000000.00000002.655693521.00000000009FC000.00000004.00000010.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: mfpmp.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: mfpmp.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_008D9D2C push eax; retf
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_008D9D30 pushad ; retf
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04B0248C push B8C2C3FFh; ret
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04B001F4 push B8C2C3FFh; ret
      Source: mfpmp.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: mfpmp.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 0.0.mfpmp.exe.2d0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\Desktop\mfpmp.exeFile opened: C:\Users\user\Desktop\mfpmp.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\mfpmp.exe TID: 6468Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\mfpmp.exe TID: 5692Thread sleep time: -40000s >= -30000s
      Source: C:\Users\user\Desktop\mfpmp.exe TID: 6480Thread sleep time: -640000s >= -30000s
      Source: C:\Users\user\Desktop\mfpmp.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\mfpmp.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\mfpmp.exeWindow / User API: foregroundWindowGot 1034
      Source: C:\Users\user\Desktop\mfpmp.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04B0112A GetSystemInfo,
      Source: C:\Users\user\Desktop\mfpmp.exeThread delayed: delay time: 922337203685477
      Source: mfpmp.exe, 00000000.00000003.616013627.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000002.655964464.0000000000B66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: mfpmp.exe, 00000000.00000003.605019535.0000000000B61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\mfpmp.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\mfpmp.exeMemory allocated: page read and write | page guard
      Source: mfpmp.exe, 00000000.00000002.655964464.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000003.616013627.0000000000B7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managern has been aborted because of either a thread exit or an application request.
      Source: mfpmp.exe, 00000000.00000003.616013627.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000003.604811258.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000003.605019535.0000000000B5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: mfpmp.exe, 00000000.00000002.657080001.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000002.657080001.0000000002A5D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerp
      Source: mfpmp.exe, 00000000.00000002.657080001.0000000002C33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerL
      Source: mfpmp.exe, 00000000.00000003.605019535.0000000000B61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerl
      Source: mfpmp.exe, 00000000.00000003.408515369.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000003.604811258.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000000.00000003.394615412.0000000000BB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert$
      Source: C:\Users\user\Desktop\mfpmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_008CAF9A GetUserNameW,

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: mfpmp.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mfpmp.exe PID: 6504, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: mfpmp.exe, 00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: mfpmp.exe, 00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: mfpmp.exe, 00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: mfpmp.exe, 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: mfpmp.exe, 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: mfpmp.exe, 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: mfpmp.exe, 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: mfpmp.exe, 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: mfpmp.exe, 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: mfpmp.exe, 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: mfpmp.exeString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: mfpmp.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a019a0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.mfpmp.exe.2d0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d4629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.51d0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a019a0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.mfpmp.exe.3a05fc9.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mfpmp.exe PID: 6504, type: MEMORYSTR
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04B0284E bind,
      Source: C:\Users\user\Desktop\mfpmp.exeCode function: 0_2_04B027FC bind,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath Interception1
      Access Token Manipulation      		1
      Masquerading      		21
      Input Capture      		1
      Security Software Discovery      		Remote Services21
      Input Capture      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Process Injection      		1
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop Protocol11
      Archive Collected Data      		Exfiltration Over Bluetooth1
      Non-Standard Port      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
      Virtualization/Sandbox Evasion      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Remote Access Software      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Access Token Manipulation      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Ingress Tool Transfer      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Process Injection      		LSA Secrets1
      Account Discovery      		SSHKeyloggingData Transfer Size Limits1
      Non-Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      Deobfuscate/Decode Files or Information      		Cached Domain Credentials1
      System Owner/User Discovery      		VNCGUI Input CaptureExfiltration Over C2 Channel11
      Application Layer Protocol      		Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      Hidden Files and Directories      		DCSync3
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
      Obfuscated Files or Information      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)11
      Software Packing      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      mfpmp.exe97%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
      mfpmp.exe88%VirustotalBrowse
      mfpmp.exe100%AviraTR/Dropper.MSIL.Gen7
      mfpmp.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      dinowar.anondns.net3%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      dinowar.dynv6.net2%VirustotalBrowse
      dinowar.anondns.net3%VirustotalBrowse
      dinowar.anondns.net100%Avira URL Cloudmalware
      dinowar.dynv6.net100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      dinowar.anondns.net
      		213.152.161.40
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      dinowar.anondns.nettrue
      • 3%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      dinowar.dynv6.nettrue
      • 2%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      213.152.161.40
      		dinowar.anondns.netNetherlands
      		49453GLOBALLAYERNLtrue

      General Information

      Joe Sandbox Version:37.1.0 Beryl
      Analysis ID:880358
      Start date and time:2023-06-02 03:13:14 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 7m 50s
      Hypervisor based Inspection enabled:false
      Report type:light
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:4
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample file name:mfpmp.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@1/2@18/1
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
      • TCP Packets have been reduced to 100
      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtDeviceIoControlFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      03:14:14API Interceptor914x Sleep call for process: mfpmp.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

      Download File
      Process:C:\Users\user\Desktop\mfpmp.exe
      File Type:data
      Category:dropped
      Size (bytes):248
      Entropy (8bit):6.997351629001838
      Encrypted:false
      SSDEEP:6:X4LDAnybgCFcps0Oa706d+6zsThvr9ohWCsT9ZIWyq4B:X4LEnybgCF07hNgtr9oE/3oB
      MD5:EDB5F15385E111D1F43093F56149A3FB
      SHA1:D865A47A0997848D5D4005B857A3FD0027BCD3C6
      SHA-256:1995E579108E8EB3B6C00893E855E8204D1C36F150088736556B66BE445E7957
      SHA-512:C3C0ADA45BECD863F41369F766E719A6FDC7807096F17FAEFBA6466EBEE4830524046DAFB186E1DFB50B15B07F0877ECD3B4E5993B83E8D67FF5A68D4F2ACCFE
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*.............S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.|Z

      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Download File
      Process:C:\Users\user\Desktop\mfpmp.exe
      File Type:data
      Category:dropped
      Size (bytes):8
      Entropy (8bit):3.0
      Encrypted:false
      SSDEEP:3:V66pt:1
      MD5:C8A6A661D6743E259E659C36B4C72D17
      SHA1:1526F977C40AB1700E731F506D7FFB2BC440ED9E
      SHA-256:AD606B5A81C70DDA9F84813BAAAF04DE4605FCA79877D9B9F2C69316605A5C29
      SHA-512:15598B836EF25A356884598B374A5CDF286812B4DFB13A5D266F16AC60B8F36FC9114823A390B72AF44ACA63AC1CD9CE29EDC40F8E827B749708AD0620A68043
      Malicious:true
      Reputation:low
      Preview:.a..Rc.H

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.476662499761944
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      • Win32 Executable (generic) a (10002005/4) 49.78%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Generic Win/DOS Executable (2004/3) 0.01%
      • DOS Executable Generic (2002/1) 0.01%
      File name:mfpmp.exe
      File size:214528
      MD5:475b4814a0b6114c76ea55c7447b6108
      SHA1:d9cb6110591e7fb53a29ee7c8efd2c7132b3a426
      SHA256:10feb93ebdb8dd942d6b7a878d1ee3920584e89cdead6e34ae8292bfb1916116
      SHA512:cb822c8b67d1733a9d4779d1e35c737db6f4ad47d2ded10aacdcd7d85acf72e58eb71d2b8bbb90e9c271041efe87f5654ea661bd786d8376d6fc4b4717c82c9b
      SSDEEP:6144:ELV6Bta6dtJmakIM5zmMVrunW9jnHzmycg81x:ELV6Btpmk8msrunW9P+
      TLSH:B724CF167BA84A3FE2DE8AB9711211028379C2E398C3F3DE5CD495B74B267E50A071D7
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................|........... ........@.. .....................................................................

      File Icon

      Icon Hash:90cececece8e8eb0

      Static PE Info

      General

      Entrypoint:0x41e792
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:
      Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

      Entrypoint Preview

      Instruction
      jmp dword ptr [00402000h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x17860.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x1c7980x1c800False0.5945124040570176data6.59808650483268IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .reloc0x200000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      .rsrc0x220000x178600x17a00False0.9965897817460317data7.997328427019175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_RCDATA0x220580x17808data

      Imports

      DLLImport
      mscoree.dll_CorExeMain

      Network Behavior

      Snort IDS Alerts

      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
      192.168.2.5213.152.161.4049726219422816766 06/02/23-03:15:58.229871TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972621942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049725219422816766 06/02/23-03:15:46.918356TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972521942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049727219422816766 06/02/23-03:16:05.832874TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972721942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049714219422816766 06/02/23-03:14:23.945597TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971421942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049716219422816766 06/02/23-03:14:38.958735TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971621942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049724219422816766 06/02/23-03:15:41.133556TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972421942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049728219422816766 06/02/23-03:16:14.874731TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972821942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049713219422816766 06/02/23-03:14:17.578597TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971321942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049717219422816766 06/02/23-03:14:46.659916TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971721942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049715219422816766 06/02/23-03:14:32.676847TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971521942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049723219422025019 06/02/23-03:15:30.905805TCP2025019ET TROJAN Possible NanoCore C2 60B4972321942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049722219422816766 06/02/23-03:15:18.909197TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972221942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049713219422025019 06/02/23-03:14:16.340330TCP2025019ET TROJAN Possible NanoCore C2 60B4971321942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049714219422025019 06/02/23-03:14:22.701480TCP2025019ET TROJAN Possible NanoCore C2 60B4971421942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049724219422025019 06/02/23-03:15:38.625540TCP2025019ET TROJAN Possible NanoCore C2 60B4972421942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049725219422025019 06/02/23-03:15:46.516736TCP2025019ET TROJAN Possible NanoCore C2 60B4972521942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049721219422816766 06/02/23-03:15:11.972977TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972121942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049723219422816766 06/02/23-03:15:32.602475TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972321942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049715219422025019 06/02/23-03:14:29.058470TCP2025019ET TROJAN Possible NanoCore C2 60B4971521942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049726219422025019 06/02/23-03:15:56.130210TCP2025019ET TROJAN Possible NanoCore C2 60B4972621942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049728219422025019 06/02/23-03:16:12.322829TCP2025019ET TROJAN Possible NanoCore C2 60B4972821942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049717219422025019 06/02/23-03:14:45.071339TCP2025019ET TROJAN Possible NanoCore C2 60B4971721942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049718219422025019 06/02/23-03:14:54.530247TCP2025019ET TROJAN Possible NanoCore C2 60B4971821942192.168.2.5213.152.161.40
      213.152.161.40192.168.2.521942497252841753 06/02/23-03:15:53.656106TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)2194249725213.152.161.40192.168.2.5
      192.168.2.5213.152.161.4049716219422025019 06/02/23-03:14:38.559097TCP2025019ET TROJAN Possible NanoCore C2 60B4971621942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049727219422025019 06/02/23-03:16:05.006045TCP2025019ET TROJAN Possible NanoCore C2 60B4972721942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049719219422025019 06/02/23-03:15:01.548154TCP2025019ET TROJAN Possible NanoCore C2 60B4971921942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049722219422025019 06/02/23-03:15:17.333804TCP2025019ET TROJAN Possible NanoCore C2 60B4972221942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049721219422025019 06/02/23-03:15:10.736542TCP2025019ET TROJAN Possible NanoCore C2 60B4972121942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049718219422816766 06/02/23-03:14:55.770847TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971821942192.168.2.5213.152.161.40
      192.168.2.5213.152.161.4049719219422816766 06/02/23-03:15:03.125668TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971921942192.168.2.5213.152.161.40

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jun 2, 2023 03:14:15.897165060 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:16.291115046 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:16.292726994 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:16.340329885 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:16.740214109 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:16.741002083 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:17.182162046 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:17.182327032 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:17.577496052 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:17.578597069 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:18.023407936 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:18.023624897 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:18.153752089 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:18.452577114 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:18.452625036 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:18.452646971 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:18.452670097 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:18.452670097 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:18.452722073 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:18.452725887 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:18.452780008 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:18.452780008 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:18.452825069 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:18.453490019 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:18.453512907 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:18.453535080 CEST2194249713213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:18.453617096 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:18.453643084 CEST4971321942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:22.293716908 CEST4971421942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:22.689059019 CEST2194249714213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:22.689198971 CEST4971421942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:22.701479912 CEST4971421942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:23.106259108 CEST2194249714213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:23.107754946 CEST4971421942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:23.549438000 CEST2194249714213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:23.550512075 CEST4971421942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:23.945451975 CEST2194249714213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:23.945596933 CEST4971421942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:24.559926987 CEST4971421942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:28.666457891 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:29.057277918 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:29.057544947 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:29.058470011 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:29.456240892 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:29.456424952 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:30.233597994 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:30.636657953 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:30.636878014 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.069416046 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.073952913 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.500612974 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.500646114 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.500659943 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.500674009 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.500886917 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.501477003 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.501518965 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.501518965 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.501554012 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.501625061 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.501672983 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.501741886 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.501791000 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.892621040 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.892793894 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.892899036 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.892967939 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.893393040 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.893415928 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.893439054 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.893467903 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.893497944 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.893512964 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:31.894252062 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:31.894345045 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.200197935 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.284379959 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.284544945 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.284564972 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.284594059 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.284624100 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.284672976 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.284677982 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.284704924 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.284723997 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.284744978 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.285245895 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.285310030 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.645306110 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.645418882 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.675637007 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.675745964 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.676757097 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.676791906 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.676811934 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.676831961 CEST2194249715213.152.161.40192.168.2.5
      Jun 2, 2023 03:14:32.676846981 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.676846981 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.676883936 CEST4971521942192.168.2.5213.152.161.40
      Jun 2, 2023 03:14:32.676893950 CEST4971521942192.168.2.5213.152.161.40

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jun 2, 2023 03:14:15.853120089 CEST4917753192.168.2.58.8.8.8
      Jun 2, 2023 03:14:15.885448933 CEST53491778.8.8.8192.168.2.5
      Jun 2, 2023 03:14:22.231913090 CEST4972453192.168.2.58.8.8.8
      Jun 2, 2023 03:14:22.253011942 CEST53497248.8.8.8192.168.2.5
      Jun 2, 2023 03:14:28.631515026 CEST6145253192.168.2.58.8.8.8
      Jun 2, 2023 03:14:28.664314032 CEST53614528.8.8.8192.168.2.5
      Jun 2, 2023 03:14:37.110941887 CEST6532353192.168.2.58.8.8.8
      Jun 2, 2023 03:14:37.149499893 CEST53653238.8.8.8192.168.2.5
      Jun 2, 2023 03:14:44.644526005 CEST5148453192.168.2.58.8.8.8
      Jun 2, 2023 03:14:44.672653913 CEST53514848.8.8.8192.168.2.5
      Jun 2, 2023 03:14:51.091420889 CEST6344653192.168.2.58.8.8.8
      Jun 2, 2023 03:14:51.118262053 CEST53634468.8.8.8192.168.2.5
      Jun 2, 2023 03:15:01.121577978 CEST5675153192.168.2.58.8.8.8
      Jun 2, 2023 03:15:01.150638103 CEST53567518.8.8.8192.168.2.5
      Jun 2, 2023 03:15:09.295682907 CEST6097553192.168.2.58.8.8.8
      Jun 2, 2023 03:15:09.324079990 CEST53609758.8.8.8192.168.2.5
      Jun 2, 2023 03:15:16.925514936 CEST5922053192.168.2.58.8.8.8
      Jun 2, 2023 03:15:16.940361977 CEST53592208.8.8.8192.168.2.5
      Jun 2, 2023 03:15:23.323892117 CEST5506853192.168.2.58.8.8.8
      Jun 2, 2023 03:15:24.376849890 CEST5506853192.168.2.58.8.8.8
      Jun 2, 2023 03:15:25.449541092 CEST5506853192.168.2.58.8.8.8
      Jun 2, 2023 03:15:27.482081890 CEST53550688.8.8.8192.168.2.5
      Jun 2, 2023 03:15:37.110519886 CEST5668253192.168.2.58.8.8.8
      Jun 2, 2023 03:15:38.121855974 CEST5668253192.168.2.58.8.8.8
      Jun 2, 2023 03:15:38.144364119 CEST53566828.8.8.8192.168.2.5
      Jun 2, 2023 03:15:39.134860039 CEST53566828.8.8.8192.168.2.5
      Jun 2, 2023 03:15:46.034936905 CEST5853253192.168.2.58.8.8.8
      Jun 2, 2023 03:15:46.071866035 CEST53585328.8.8.8192.168.2.5
      Jun 2, 2023 03:15:52.640743017 CEST6265953192.168.2.58.8.8.8
      Jun 2, 2023 03:15:52.668926954 CEST53626598.8.8.8192.168.2.5
      Jun 2, 2023 03:16:03.578902960 CEST5858153192.168.2.58.8.8.8
      Jun 2, 2023 03:16:03.599817038 CEST53585818.8.8.8192.168.2.5
      Jun 2, 2023 03:16:11.905319929 CEST5626353192.168.2.58.8.8.8
      Jun 2, 2023 03:16:11.926800966 CEST53562638.8.8.8192.168.2.5

      ICMP Packets

      TimestampSource IPDest IPChecksumCodeType
      Jun 2, 2023 03:15:39.135045052 CEST192.168.2.58.8.8.8d008(Port unreachable)Destination Unreachable

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Jun 2, 2023 03:14:15.853120089 CEST192.168.2.58.8.8.80x96b3Standard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:14:22.231913090 CEST192.168.2.58.8.8.80x367aStandard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:14:28.631515026 CEST192.168.2.58.8.8.80x1016Standard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:14:37.110941887 CEST192.168.2.58.8.8.80x1c00Standard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:14:44.644526005 CEST192.168.2.58.8.8.80xc195Standard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:14:51.091420889 CEST192.168.2.58.8.8.80x997cStandard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:01.121577978 CEST192.168.2.58.8.8.80xb8bfStandard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:09.295682907 CEST192.168.2.58.8.8.80x9cdfStandard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:16.925514936 CEST192.168.2.58.8.8.80x8754Standard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:23.323892117 CEST192.168.2.58.8.8.80xd62cStandard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:24.376849890 CEST192.168.2.58.8.8.80xd62cStandard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:25.449541092 CEST192.168.2.58.8.8.80xd62cStandard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:37.110519886 CEST192.168.2.58.8.8.80x89d3Standard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:38.121855974 CEST192.168.2.58.8.8.80x89d3Standard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:46.034936905 CEST192.168.2.58.8.8.80xf3b5Standard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:52.640743017 CEST192.168.2.58.8.8.80xaee7Standard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:16:03.578902960 CEST192.168.2.58.8.8.80x1577Standard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false
      Jun 2, 2023 03:16:11.905319929 CEST192.168.2.58.8.8.80xf81aStandard query (0)dinowar.anondns.netA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Jun 2, 2023 03:14:15.885448933 CEST8.8.8.8192.168.2.50x96b3No error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:14:22.253011942 CEST8.8.8.8192.168.2.50x367aNo error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:14:28.664314032 CEST8.8.8.8192.168.2.50x1016No error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:14:37.149499893 CEST8.8.8.8192.168.2.50x1c00No error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:14:44.672653913 CEST8.8.8.8192.168.2.50xc195No error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:14:51.118262053 CEST8.8.8.8192.168.2.50x997cNo error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:01.150638103 CEST8.8.8.8192.168.2.50xb8bfNo error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:09.324079990 CEST8.8.8.8192.168.2.50x9cdfNo error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:16.940361977 CEST8.8.8.8192.168.2.50x8754No error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:27.482081890 CEST8.8.8.8192.168.2.50xd62cNo error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:38.144364119 CEST8.8.8.8192.168.2.50x89d3No error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:39.134860039 CEST8.8.8.8192.168.2.50x89d3No error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:46.071866035 CEST8.8.8.8192.168.2.50xf3b5No error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:15:52.668926954 CEST8.8.8.8192.168.2.50xaee7No error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:16:03.599817038 CEST8.8.8.8192.168.2.50x1577No error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false
      Jun 2, 2023 03:16:11.926800966 CEST8.8.8.8192.168.2.50xf81aNo error (0)dinowar.anondns.net213.152.161.40A (IP address)IN (0x0001)false

      Statistics

      No statistics

      System Behavior

      General

      Target ID:0
      Start time:03:14:13
      Start date:02/06/2023
      Path:C:\Users\user\Desktop\mfpmp.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\mfpmp.exe
      Imagebase:0x2d0000
      File size:214528 bytes
      MD5 hash:475B4814A0B6114C76EA55C7447B6108
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000000.390950299.00000000002D2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.657080001.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.667317565.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.667774340.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.667674827.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.665497536.00000000039F2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      Reputation:low

      Disassembly

      No disassembly