Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sqeCz4tgdW.exe

Overview

General Information

Sample Name:sqeCz4tgdW.exe
Original Sample Name:0cea4eaf614191a2cf51abd70a672ed9.exe
Analysis ID:880361
MD5:0cea4eaf614191a2cf51abd70a672ed9
SHA1:1f5259a6eeef5c641b324570f311bc8c86f32dc1
SHA256:597475447158dd0612e5584c51a515cabb3eac9bd01681836318614cda4878d0
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports

Classification

Process Tree

  • System is w10x64
  • sqeCz4tgdW.exe (PID: 7000 cmdline: C:\Users\user\Desktop\sqeCz4tgdW.exe MD5: 0CEA4EAF614191A2CF51ABD70A672ED9)
  • dhcpmon.exe (PID: 3568 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 0CEA4EAF614191A2CF51ABD70A672ED9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "95d7519b-29ef-446d-9925-48c3abcd", "Group": "Default", "Domain1": "4.tcp.ngrok.io", "Domain2": "4.tcp.ngrok.io", "Port": 17403, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sqeCz4tgdW.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
sqeCz4tgdW.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
sqeCz4tgdW.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    sqeCz4tgdW.exeMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xfef5:$x1: NanoCore Client
    • 0xff05:$x1: NanoCore Client
    • 0x1014d:$x2: NanoCore.ClientPlugin
    • 0x1018d:$x3: NanoCore.ClientPluginHost
    • 0x10142:$i1: IClientApp
    • 0x10163:$i2: IClientData
    • 0x1016f:$i3: IClientNetwork
    • 0x1017e:$i4: IClientAppHost
    • 0x101a7:$i5: IClientDataHost
    • 0x101b7:$i6: IClientLoggingHost
    • 0x101ca:$i7: IClientNetworkHost
    • 0x101dd:$i8: IClientUIHost
    • 0x101eb:$i9: IClientNameObjectCollection
    • 0x10207:$i10: IClientReadOnlyNameObjectCollection
    • 0xff54:$s1: ClientPlugin
    • 0x10156:$s1: ClientPlugin
    • 0x1064a:$s2: EndPoint
    • 0x10653:$s3: IPAddress
    • 0x1065d:$s4: IPEndPoint
    • 0x12093:$s6: get_ClientSettings
    • 0x12637:$s7: get_Connected
    sqeCz4tgdW.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    Click to see the 1 entries

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0xfef5:$x1: NanoCore Client
      • 0xff05:$x1: NanoCore Client
      • 0x1014d:$x2: NanoCore.ClientPlugin
      • 0x1018d:$x3: NanoCore.ClientPluginHost
      • 0x10142:$i1: IClientApp
      • 0x10163:$i2: IClientData
      • 0x1016f:$i3: IClientNetwork
      • 0x1017e:$i4: IClientAppHost
      • 0x101a7:$i5: IClientDataHost
      • 0x101b7:$i6: IClientLoggingHost
      • 0x101ca:$i7: IClientNetworkHost
      • 0x101dd:$i8: IClientUIHost
      • 0x101eb:$i9: IClientNameObjectCollection
      • 0x10207:$i10: IClientReadOnlyNameObjectCollection
      • 0xff54:$s1: ClientPlugin
      • 0x10156:$s1: ClientPlugin
      • 0x1064a:$s2: EndPoint
      • 0x10653:$s3: IPAddress
      • 0x1065d:$s4: IPEndPoint
      • 0x12093:$s6: get_ClientSettings
      • 0x12637:$s7: get_Connected
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0xe38:$x2: NanoCore.ClientPlugin
      • 0xe75:$x3: NanoCore.ClientPluginHost
      • 0xe5a:$i1: IClientApp
      • 0xe4e:$i2: IClientData
      • 0xe29:$i3: IClientNetwork
      • 0xec3:$i4: IClientAppHost
      • 0xe65:$i5: IClientDataHost
      • 0xeb0:$i6: IClientLoggingHost
      • 0xe8f:$i7: IClientNetworkHost
      • 0xea2:$i8: IClientUIHost
      • 0xed2:$i9: IClientNameObjectCollection
      • 0xef7:$i10: IClientReadOnlyNameObjectCollection
      • 0xe41:$s1: ClientPlugin
      • 0x177c:$s1: ClientPlugin
      • 0x1789:$s1: ClientPlugin
      • 0x11f9:$s6: get_ClientSettings
      • 0x1249:$s7: get_Connected
      00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0xe75:$a1: NanoCore.ClientPluginHost
      • 0xe38:$a2: NanoCore.ClientPlugin
      • 0x120c:$b1: get_BuilderSettings
      • 0xec3:$b4: IClientAppHost
      • 0x127d:$b6: AddHostEntry
      • 0x12ec:$b7: LogClientException
      • 0x1261:$b8: PipeExists
      • 0xeb0:$b9: IClientLoggingHost
      00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 22 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.sqeCz4tgdW.exe.5620000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        0.2.sqeCz4tgdW.exe.5620000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        0.2.sqeCz4tgdW.exe.5620000.3.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
        • 0xe38:$x2: NanoCore.ClientPlugin
        • 0xe75:$x3: NanoCore.ClientPluginHost
        • 0xe5a:$i1: IClientApp
        • 0xe4e:$i2: IClientData
        • 0xe29:$i3: IClientNetwork
        • 0xec3:$i4: IClientAppHost
        • 0xe65:$i5: IClientDataHost
        • 0xeb0:$i6: IClientLoggingHost
        • 0xe8f:$i7: IClientNetworkHost
        • 0xea2:$i8: IClientUIHost
        • 0xed2:$i9: IClientNameObjectCollection
        • 0xef7:$i10: IClientReadOnlyNameObjectCollection
        • 0xe41:$s1: ClientPlugin
        • 0x177c:$s1: ClientPlugin
        • 0x1789:$s1: ClientPlugin
        • 0x11f9:$s6: get_ClientSettings
        • 0x1249:$s7: get_Connected
        0.2.sqeCz4tgdW.exe.5620000.3.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
        • 0xe75:$a1: NanoCore.ClientPluginHost
        • 0xe38:$a2: NanoCore.ClientPlugin
        • 0x120c:$b1: get_BuilderSettings
        • 0xec3:$b4: IClientAppHost
        • 0x127d:$b6: AddHostEntry
        • 0x12ec:$b7: LogClientException
        • 0x1261:$b8: PipeExists
        • 0xeb0:$b9: IClientLoggingHost
        1.2.dhcpmon.exe.3b429ed.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
        • 0xb184:$x1: NanoCore.ClientPluginHost
        • 0x23c38:$x1: NanoCore.ClientPluginHost
        • 0xb1b1:$x2: IClientNetworkHost
        • 0x23c65:$x2: IClientNetworkHost
        Click to see the 49 entries

        Sigma Signatures

        AV Detection

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\sqeCz4tgdW.exe, ProcessId: 7000, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\sqeCz4tgdW.exe, ProcessId: 7000, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\sqeCz4tgdW.exe, ProcessId: 7000, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\sqeCz4tgdW.exe, ProcessId: 7000, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Snort Signatures

        Timestamp:192.168.2.73.131.147.4949711174032816766 06/02/23-03:18:14.807235
        SID:2816766
        Source Port:49711
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549701174032816766 06/02/23-03:17:24.631045
        SID:2816766
        Source Port:49701
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549712174032816766 06/02/23-03:18:19.558845
        SID:2816766
        Source Port:49712
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.131.147.4949722174032816766 06/02/23-03:19:11.880129
        SID:2816766
        Source Port:49722
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.131.147.4949713174032816766 06/02/23-03:18:24.437024
        SID:2816766
        Source Port:49713
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549710174032816766 06/02/23-03:18:10.096340
        SID:2816766
        Source Port:49710
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.131.147.4949720174032816766 06/02/23-03:19:01.687305
        SID:2816766
        Source Port:49720
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549714174032816766 06/02/23-03:18:29.201957
        SID:2816766
        Source Port:49714
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549721174032816766 06/02/23-03:19:06.902900
        SID:2816766
        Source Port:49721
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.131.147.4949702174032816766 06/02/23-03:17:29.974643
        SID:2816766
        Source Port:49702
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549715174032816766 06/02/23-03:18:33.818642
        SID:2816766
        Source Port:49715
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549704174032816766 06/02/23-03:17:39.703803
        SID:2816766
        Source Port:49704
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549705174032816766 06/02/23-03:17:44.449297
        SID:2816766
        Source Port:49705
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.129.187.22049699174032816766 06/02/23-03:17:14.925523
        SID:2816766
        Source Port:49699
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549716174032816766 06/02/23-03:18:39.059373
        SID:2816766
        Source Port:49716
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.131.147.4949719174032816766 06/02/23-03:18:54.982902
        SID:2816766
        Source Port:49719
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.129.187.22049700174032816766 06/02/23-03:17:19.627500
        SID:2816766
        Source Port:49700
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549723174032816766 06/02/23-03:19:17.220052
        SID:2816766
        Source Port:49723
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.131.147.4949713174032816718 06/02/23-03:18:24.437024
        SID:2816718
        Source Port:49713
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549708174032816766 06/02/23-03:17:59.387763
        SID:2816766
        Source Port:49708
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.131.147.4949718174032816766 06/02/23-03:18:49.091071
        SID:2816766
        Source Port:49718
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.131.147.4949717174032816766 06/02/23-03:18:43.892441
        SID:2816766
        Source Port:49717
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549707174032816766 06/02/23-03:17:54.419991
        SID:2816766
        Source Port:49707
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.131.147.4949706174032816766 06/02/23-03:17:49.649672
        SID:2816766
        Source Port:49706
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.22.15.13549701174032816718 06/02/23-03:17:24.631045
        SID:2816718
        Source Port:49701
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.73.131.147.4949703174032816766 06/02/23-03:17:34.772716
        SID:2816766
        Source Port:49703
        Destination Port:17403
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "95d7519b-29ef-446d-9925-48c3abcd", "Group": "Default", "Domain1": "4.tcp.ngrok.io", "Domain2": "4.tcp.ngrok.io", "Port": 17403, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for submitted file
        Source: sqeCz4tgdW.exeReversingLabs: Detection: 97%
        Source: sqeCz4tgdW.exeVirustotal: Detection: 91%Perma Link
        Antivirus / Scanner detection for submitted sample
        Source: sqeCz4tgdW.exeAvira: detected
        Antivirus detection for URL or domain
        Source: 4.tcp.ngrok.ioAvira URL Cloud: Label: malware
        Multi AV Scanner detection for domain / URL
        Source: 4.tcp.ngrok.ioVirustotal: Detection: 21%Perma Link
        Antivirus detection for dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
        Multi AV Scanner detection for dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 97%
        Yara detected Nanocore RAT
        Source: Yara matchFile source: sqeCz4tgdW.exe, type: SAMPLE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: sqeCz4tgdW.exe PID: 7000, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3568, type: MEMORYSTR
        Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
        Machine Learning detection for sample
        Source: sqeCz4tgdW.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: sqeCz4tgdW.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49699 -> 3.129.187.220:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49700 -> 3.129.187.220:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49701 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.7:49701 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49702 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49703 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49704 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49705 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49706 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49707 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49708 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49710 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49711 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49712 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49713 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.7:49713 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49714 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49715 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49716 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49717 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49718 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49719 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49720 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49721 -> 3.22.15.135:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49722 -> 3.131.147.49:17403
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49723 -> 3.22.15.135:17403
        Connects to many ports of the same IP (likely port scanning)
        Source: global trafficTCP traffic: 3.131.147.49 ports 0,1,3,4,7,17403
        Source: global trafficTCP traffic: 3.22.15.135 ports 0,1,3,4,7,17403
        Source: global trafficTCP traffic: 3.129.187.220 ports 0,1,3,4,7,17403
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: 4.tcp.ngrok.io
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewIP Address: 3.131.147.49 3.131.147.49
        Source: global trafficTCP traffic: 192.168.2.7:49699 -> 3.129.187.220:17403
        Source: global trafficTCP traffic: 192.168.2.7:49701 -> 3.22.15.135:17403
        Source: global trafficTCP traffic: 192.168.2.7:49702 -> 3.131.147.49:17403
        Source: unknownDNS traffic detected: queries for: 4.tcp.ngrok.io
        Source: sqeCz4tgdW.exe, 00000000.00000002.605285032.0000000001258000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: sqeCz4tgdW.exe, 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud

        barindex
        Yara detected Nanocore RAT
        Source: Yara matchFile source: sqeCz4tgdW.exe, type: SAMPLE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: sqeCz4tgdW.exe PID: 7000, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3568, type: MEMORYSTR
        Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: sqeCz4tgdW.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: sqeCz4tgdW.exe, type: SAMPLEMatched rule: Detects NanoCore Author: ditekSHen
        Source: sqeCz4tgdW.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: sqeCz4tgdW.exe, type: SAMPLEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.2.sqeCz4tgdW.exe.5620000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 0.2.sqeCz4tgdW.exe.5620000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.sqeCz4tgdW.exe.5620000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 1.2.dhcpmon.exe.2b13dc4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 1.2.dhcpmon.exe.2b13dc4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 1.2.dhcpmon.exe.2b13dc4.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.2.sqeCz4tgdW.exe.3211794.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 0.2.sqeCz4tgdW.exe.3211794.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.sqeCz4tgdW.exe.3211794.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
        Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
        Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000000.00000002.608684024.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: Process Memory Space: sqeCz4tgdW.exe PID: 7000, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: Process Memory Space: sqeCz4tgdW.exe PID: 7000, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: sqeCz4tgdW.exe PID: 7000, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: Process Memory Space: dhcpmon.exe PID: 3568, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 3568, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: sqeCz4tgdW.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: sqeCz4tgdW.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: sqeCz4tgdW.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: sqeCz4tgdW.exe, type: SAMPLEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: sqeCz4tgdW.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: sqeCz4tgdW.exe, type: SAMPLEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.2.sqeCz4tgdW.exe.5620000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.sqeCz4tgdW.exe.5620000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.sqeCz4tgdW.exe.5620000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.sqeCz4tgdW.exe.5620000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 1.2.dhcpmon.exe.2b13dc4.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.2b13dc4.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.2b13dc4.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 1.2.dhcpmon.exe.2b13dc4.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.2.sqeCz4tgdW.exe.3211794.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.sqeCz4tgdW.exe.3211794.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.sqeCz4tgdW.exe.3211794.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.sqeCz4tgdW.exe.3211794.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000000.00000002.608684024.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: Process Memory Space: sqeCz4tgdW.exe PID: 7000, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: Process Memory Space: sqeCz4tgdW.exe PID: 7000, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: sqeCz4tgdW.exe PID: 7000, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: Process Memory Space: dhcpmon.exe PID: 3568, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 3568, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 1_2_04D123A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 1_2_04D12FA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 1_2_04D13850
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 1_2_04D1306F
        Source: sqeCz4tgdW.exe, 00000000.00000002.611931569.0000000004266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs sqeCz4tgdW.exe
        Source: sqeCz4tgdW.exe, 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs sqeCz4tgdW.exe
        Source: sqeCz4tgdW.exe, 00000000.00000002.611931569.000000000427F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs sqeCz4tgdW.exe
        Source: sqeCz4tgdW.exe, 00000000.00000002.613176449.0000000005630000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs sqeCz4tgdW.exe
        Source: sqeCz4tgdW.exe, 00000000.00000002.605285032.0000000001258000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs sqeCz4tgdW.exe
        Source: sqeCz4tgdW.exe, 00000000.00000002.608684024.0000000003201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs sqeCz4tgdW.exe
        Source: sqeCz4tgdW.exe, 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs sqeCz4tgdW.exe
        Source: sqeCz4tgdW.exe, 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs sqeCz4tgdW.exe
        Source: sqeCz4tgdW.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9993303571428571
        Source: dhcpmon.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.9993303571428571
        Source: sqeCz4tgdW.exeReversingLabs: Detection: 97%
        Source: sqeCz4tgdW.exeVirustotal: Detection: 91%
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeFile read: C:\Users\user\Desktop\sqeCz4tgdW.exeJump to behavior
        Source: sqeCz4tgdW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\sqeCz4tgdW.exe C:\Users\user\Desktop\sqeCz4tgdW.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@2/4@25/3
        Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: sqeCz4tgdW.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: sqeCz4tgdW.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: sqeCz4tgdW.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{95d7519b-29ef-446d-9925-48c3abcdb273}
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: sqeCz4tgdW.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: sqeCz4tgdW.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: sqeCz4tgdW.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: sqeCz4tgdW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: sqeCz4tgdW.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: sqeCz4tgdW.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: dhcpmon.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: sqeCz4tgdW.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: sqeCz4tgdW.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: dhcpmon.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: dhcpmon.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeFile opened: C:\Users\user\Desktop\sqeCz4tgdW.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exe TID: 6948Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exe TID: 6964Thread sleep time: -32000s >= -30000s
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exe TID: 6984Thread sleep time: -500000s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5172Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeWindow / User API: foregroundWindowGot 1001
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: sqeCz4tgdW.exe, 00000000.00000003.340133983.0000000001329000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: sqeCz4tgdW.exe, 00000000.00000003.340133983.0000000001329000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeMemory allocated: page read and write | page guard
        Source: sqeCz4tgdW.exe, 00000000.00000003.525116521.0000000001303000.00000004.00000020.00020000.00000000.sdmp, sqeCz4tgdW.exe, 00000000.00000003.603752721.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, sqeCz4tgdW.exe, 00000000.00000003.570292159.000000000132F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: sqeCz4tgdW.exe, 00000000.00000003.519942547.000000000132F000.00000004.00000020.00020000.00000000.sdmp, sqeCz4tgdW.exe, 00000000.00000003.541232679.0000000001330000.00000004.00000020.00020000.00000000.sdmp, sqeCz4tgdW.exe, 00000000.00000003.534666236.000000000132A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager@4,
        Source: sqeCz4tgdW.exe, 00000000.00000002.608684024.0000000003201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerr
        Source: C:\Users\user\Desktop\sqeCz4tgdW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Yara detected Nanocore RAT
        Source: Yara matchFile source: sqeCz4tgdW.exe, type: SAMPLE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: sqeCz4tgdW.exe PID: 7000, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3568, type: MEMORYSTR
        Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

        Remote Access Functionality

        barindex
        Detected Nanocore Rat
        Source: sqeCz4tgdW.exe, 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: sqeCz4tgdW.exe, 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: sqeCz4tgdW.exe, 00000000.00000002.608684024.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: sqeCz4tgdW.exe, 00000000.00000002.608684024.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: sqeCz4tgdW.exe, 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: sqeCz4tgdW.exe, 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: sqeCz4tgdW.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe.0.drString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RAT
        Source: Yara matchFile source: sqeCz4tgdW.exe, type: SAMPLE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b429ed.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3958e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad4629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.sqeCz4tgdW.exe.ba0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3e3c4.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.sqeCz4tgdW.exe.5ad0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.dhcpmon.exe.3b3e3c4.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: sqeCz4tgdW.exe PID: 7000, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3568, type: MEMORYSTR
        Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath Interception2
        Process Injection        		2
        Masquerading        		21
        Input Capture        		11
        Security Software Discovery        		Remote Services21
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop Protocol11
        Archive Collected Data        		Exfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
        Virtualization/Sandbox Evasion        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Remote Access Software        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer1
        Non-Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets2
        System Information Discovery        		SSHKeyloggingData Transfer Size Limits11
        Application Layer Protocol        		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Hidden Files and Directories        		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items11
        Software Packing        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        sqeCz4tgdW.exe97%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
        sqeCz4tgdW.exe92%VirustotalBrowse
        sqeCz4tgdW.exe100%AviraTR/Dropper.MSIL.Gen7
        sqeCz4tgdW.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe97%ReversingLabsByteCode-MSIL.Backdoor.NanoCore

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        4.tcp.ngrok.io21%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        4.tcp.ngrok.io100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        4.tcp.ngrok.io
        		3.129.187.220
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        4.tcp.ngrok.iotrue
        • Avira URL Cloud: malware
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        3.131.147.49
        		unknownUnited States
        		16509AMAZON-02UStrue
        3.129.187.220
        		4.tcp.ngrok.ioUnited States
        		16509AMAZON-02UStrue
        3.22.15.135
        		unknownUnited States
        		16509AMAZON-02UStrue

        General Information

        Joe Sandbox Version:37.1.0 Beryl
        Analysis ID:880361
        Start date and time:2023-06-02 03:16:15 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 8m 23s
        Hypervisor based Inspection enabled:false
        Report type:light
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:5
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample file name:sqeCz4tgdW.exe
        Original Sample Name:0cea4eaf614191a2cf51abd70a672ed9.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@2/4@25/3
        EGA Information:
        • Successful, ratio: 50%
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
        • TCP Packets have been reduced to 100
        • Execution Graph export aborted for target sqeCz4tgdW.exe, PID 7000 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtDeviceIoControlFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        03:17:13API Interceptor875x Sleep call for process: sqeCz4tgdW.exe modified
        03:17:17AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

        Download File
        Process:C:\Users\user\Desktop\sqeCz4tgdW.exe
        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Category:dropped
        Size (bytes):207360
        Entropy (8bit):7.446808234153199
        Encrypted:false
        SSDEEP:6144:gLV6Bta6dtJmakIM5RlWUu5LYkO0TrWSo:gLV6BtpmkelM5LYkO0TK9
        MD5:0CEA4EAF614191A2CF51ABD70A672ED9
        SHA1:1F5259A6EEEF5C641B324570F311BC8C86F32DC1
        SHA-256:597475447158DD0612E5584C51A515CABB3EAC9BD01681836318614CDA4878D0
        SHA-512:6CFE9F34EA558AD88084ADABB7DC049AD70A9F7418D05A0CA966A319A6CC55A87584B686787C6413797C39E3678BDE206FF59379D0F1CAE476F3272C02BE2478
        Malicious:true
        Yara Hits:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems)
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems)
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: ditekSHen
        • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: unknown
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: ReversingLabs, Detection: 97%
        Reputation:low
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ..p]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...p]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

        Download File
        Process:C:\Users\user\Desktop\sqeCz4tgdW.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):26
        Entropy (8bit):3.95006375643621
        Encrypted:false
        SSDEEP:3:ggPYV:rPYV
        MD5:187F488E27DB4AF347237FE461A079AD
        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
        Malicious:true
        Reputation:high, very likely benign file
        Preview:[ZoneTransfer]....ZoneId=0

        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

        Download File
        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):525
        Entropy (8bit):5.2874233355119316
        Encrypted:false
        SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
        MD5:61CCF53571C9ABA6511D696CB0D32E45
        SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
        SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
        SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
        Malicious:false
        Reputation:high, very likely benign file
        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Download File
        Process:C:\Users\user\Desktop\sqeCz4tgdW.exe
        File Type:International EBCDIC text, with no line terminators
        Category:dropped
        Size (bytes):8
        Entropy (8bit):3.0
        Encrypted:false
        SSDEEP:3:y8+t:G
        MD5:73774CC6596C584012DF7F49C950AA18
        SHA1:5E8BE4474D2002A3EA53C37EB702463F1A35FD90
        SHA-256:37CD8E5FF28A70B4AE1FB96AEB1195B18DC9609EB73C58847F78E95281954C52
        SHA-512:BDF84B8CF190C3729B9B1829CEA5B6455E514CDFFF730ADB630543C58CC558E6AEFEB8200BFC11A35D82E98ABFC3E1923B42F97439FFBC8A8A6BAC0A32FEBCCD
        Malicious:true
        Reputation:low
        Preview:..Z.Rc.H

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):7.446808234153199
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        • Win32 Executable (generic) a (10002005/4) 49.78%
        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
        • Generic Win/DOS Executable (2004/3) 0.01%
        • DOS Executable Generic (2002/1) 0.01%
        File name:sqeCz4tgdW.exe
        File size:207360
        MD5:0cea4eaf614191a2cf51abd70a672ed9
        SHA1:1f5259a6eeef5c641b324570f311bc8c86f32dc1
        SHA256:597475447158dd0612e5584c51a515cabb3eac9bd01681836318614cda4878d0
        SHA512:6cfe9f34ea558ad88084adabb7dc049ad70a9f7418d05a0ca966a319a6cc55a87584b686787c6413797c39e3678bde206ff59379d0f1cae476f3272c02be2478
        SSDEEP:6144:gLV6Bta6dtJmakIM5RlWUu5LYkO0TrWSo:gLV6BtpmkelM5LYkO0TK9
        TLSH:1514BF5677E94A2FE2DE86B9602251128379C2E3E8C3F7DE28D454F78B267E406071D3
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. .....................................................................

        File Icon

        Icon Hash:90cececece8e8eb0

        Static PE Info

        General

        Entrypoint:0x41e792
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        DLL Characteristics:
        Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

        Entrypoint Preview

        Instruction
        jmp dword ptr [00402000h]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x15d70.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000x1c7980x1c800False0.5945038377192983data6.5980557661789465IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .reloc0x200000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        .rsrc0x220000x15d700x15e00False0.9993303571428571data7.997699178073433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_RCDATA0x220580x15d18data

        Imports

        DLLImport
        mscoree.dll_CorExeMain

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        192.168.2.73.131.147.4949711174032816766 06/02/23-03:18:14.807235TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971117403192.168.2.73.131.147.49
        192.168.2.73.22.15.13549701174032816766 06/02/23-03:17:24.631045TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970117403192.168.2.73.22.15.135
        192.168.2.73.22.15.13549712174032816766 06/02/23-03:18:19.558845TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971217403192.168.2.73.22.15.135
        192.168.2.73.131.147.4949722174032816766 06/02/23-03:19:11.880129TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972217403192.168.2.73.131.147.49
        192.168.2.73.131.147.4949713174032816766 06/02/23-03:18:24.437024TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971317403192.168.2.73.131.147.49
        192.168.2.73.22.15.13549710174032816766 06/02/23-03:18:10.096340TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971017403192.168.2.73.22.15.135
        192.168.2.73.131.147.4949720174032816766 06/02/23-03:19:01.687305TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972017403192.168.2.73.131.147.49
        192.168.2.73.22.15.13549714174032816766 06/02/23-03:18:29.201957TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971417403192.168.2.73.22.15.135
        192.168.2.73.22.15.13549721174032816766 06/02/23-03:19:06.902900TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972117403192.168.2.73.22.15.135
        192.168.2.73.131.147.4949702174032816766 06/02/23-03:17:29.974643TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970217403192.168.2.73.131.147.49
        192.168.2.73.22.15.13549715174032816766 06/02/23-03:18:33.818642TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971517403192.168.2.73.22.15.135
        192.168.2.73.22.15.13549704174032816766 06/02/23-03:17:39.703803TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970417403192.168.2.73.22.15.135
        192.168.2.73.22.15.13549705174032816766 06/02/23-03:17:44.449297TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970517403192.168.2.73.22.15.135
        192.168.2.73.129.187.22049699174032816766 06/02/23-03:17:14.925523TCP2816766ETPRO TROJAN NanoCore RAT CnC 74969917403192.168.2.73.129.187.220
        192.168.2.73.22.15.13549716174032816766 06/02/23-03:18:39.059373TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971617403192.168.2.73.22.15.135
        192.168.2.73.131.147.4949719174032816766 06/02/23-03:18:54.982902TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971917403192.168.2.73.131.147.49
        192.168.2.73.129.187.22049700174032816766 06/02/23-03:17:19.627500TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970017403192.168.2.73.129.187.220
        192.168.2.73.22.15.13549723174032816766 06/02/23-03:19:17.220052TCP2816766ETPRO TROJAN NanoCore RAT CnC 74972317403192.168.2.73.22.15.135
        192.168.2.73.131.147.4949713174032816718 06/02/23-03:18:24.437024TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon4971317403192.168.2.73.131.147.49
        192.168.2.73.22.15.13549708174032816766 06/02/23-03:17:59.387763TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970817403192.168.2.73.22.15.135
        192.168.2.73.131.147.4949718174032816766 06/02/23-03:18:49.091071TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971817403192.168.2.73.131.147.49
        192.168.2.73.131.147.4949717174032816766 06/02/23-03:18:43.892441TCP2816766ETPRO TROJAN NanoCore RAT CnC 74971717403192.168.2.73.131.147.49
        192.168.2.73.22.15.13549707174032816766 06/02/23-03:17:54.419991TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970717403192.168.2.73.22.15.135
        192.168.2.73.131.147.4949706174032816766 06/02/23-03:17:49.649672TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970617403192.168.2.73.131.147.49
        192.168.2.73.22.15.13549701174032816718 06/02/23-03:17:24.631045TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon4970117403192.168.2.73.22.15.135
        192.168.2.73.131.147.4949703174032816766 06/02/23-03:17:34.772716TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970317403192.168.2.73.131.147.49

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jun 2, 2023 03:17:14.248718977 CEST4969917403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:14.404376984 CEST17403496993.129.187.220192.168.2.7
        Jun 2, 2023 03:17:14.404645920 CEST4969917403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:14.458405018 CEST4969917403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:14.613961935 CEST17403496993.129.187.220192.168.2.7
        Jun 2, 2023 03:17:14.614321947 CEST4969917403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:14.769804955 CEST17403496993.129.187.220192.168.2.7
        Jun 2, 2023 03:17:14.769936085 CEST4969917403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:14.925280094 CEST17403496993.129.187.220192.168.2.7
        Jun 2, 2023 03:17:14.925523043 CEST4969917403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:14.948740005 CEST17403496993.129.187.220192.168.2.7
        Jun 2, 2023 03:17:14.955879927 CEST4969917403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:19.005378008 CEST4970017403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:19.160744905 CEST17403497003.129.187.220192.168.2.7
        Jun 2, 2023 03:17:19.160980940 CEST4970017403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:19.161511898 CEST4970017403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:19.316651106 CEST17403497003.129.187.220192.168.2.7
        Jun 2, 2023 03:17:19.316771030 CEST4970017403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:19.472047091 CEST17403497003.129.187.220192.168.2.7
        Jun 2, 2023 03:17:19.472188950 CEST4970017403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:19.627413988 CEST17403497003.129.187.220192.168.2.7
        Jun 2, 2023 03:17:19.627500057 CEST4970017403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:19.665241957 CEST17403497003.129.187.220192.168.2.7
        Jun 2, 2023 03:17:19.665477991 CEST4970017403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:19.782645941 CEST17403497003.129.187.220192.168.2.7
        Jun 2, 2023 03:17:19.782721043 CEST4970017403192.168.2.73.129.187.220
        Jun 2, 2023 03:17:23.903742075 CEST4970117403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:24.058501959 CEST17403497013.22.15.135192.168.2.7
        Jun 2, 2023 03:17:24.058590889 CEST4970117403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:24.059762001 CEST4970117403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:24.214550972 CEST17403497013.22.15.135192.168.2.7
        Jun 2, 2023 03:17:24.214859009 CEST4970117403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:24.369662046 CEST17403497013.22.15.135192.168.2.7
        Jun 2, 2023 03:17:24.382611036 CEST4970117403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:24.537458897 CEST17403497013.22.15.135192.168.2.7
        Jun 2, 2023 03:17:24.538283110 CEST4970117403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:24.628906012 CEST17403497013.22.15.135192.168.2.7
        Jun 2, 2023 03:17:24.631045103 CEST4970117403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:24.631191015 CEST4970117403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:24.693058014 CEST17403497013.22.15.135192.168.2.7
        Jun 2, 2023 03:17:24.694983006 CEST4970117403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:24.786062002 CEST17403497013.22.15.135192.168.2.7
        Jun 2, 2023 03:17:24.786199093 CEST4970117403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:29.454476118 CEST4970217403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:29.609735012 CEST17403497023.131.147.49192.168.2.7
        Jun 2, 2023 03:17:29.609920025 CEST4970217403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:29.663494110 CEST4970217403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:29.818592072 CEST17403497023.131.147.49192.168.2.7
        Jun 2, 2023 03:17:29.818792105 CEST4970217403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:29.974524021 CEST17403497023.131.147.49192.168.2.7
        Jun 2, 2023 03:17:29.974642992 CEST4970217403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:30.101577997 CEST17403497023.131.147.49192.168.2.7
        Jun 2, 2023 03:17:30.101851940 CEST4970217403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:30.129663944 CEST17403497023.131.147.49192.168.2.7
        Jun 2, 2023 03:17:30.129792929 CEST4970217403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:34.145782948 CEST4970317403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:34.301250935 CEST17403497033.131.147.49192.168.2.7
        Jun 2, 2023 03:17:34.301405907 CEST4970317403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:34.302206039 CEST4970317403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:34.457386017 CEST17403497033.131.147.49192.168.2.7
        Jun 2, 2023 03:17:34.457461119 CEST4970317403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:34.612817049 CEST17403497033.131.147.49192.168.2.7
        Jun 2, 2023 03:17:34.616580009 CEST4970317403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:34.772546053 CEST17403497033.131.147.49192.168.2.7
        Jun 2, 2023 03:17:34.772716045 CEST4970317403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:34.797590017 CEST17403497033.131.147.49192.168.2.7
        Jun 2, 2023 03:17:34.799402952 CEST4970317403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:39.074366093 CEST4970417403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:39.229404926 CEST17403497043.22.15.135192.168.2.7
        Jun 2, 2023 03:17:39.229753017 CEST4970417403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:39.230129004 CEST4970417403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:39.384891033 CEST17403497043.22.15.135192.168.2.7
        Jun 2, 2023 03:17:39.389611959 CEST4970417403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:39.544677973 CEST17403497043.22.15.135192.168.2.7
        Jun 2, 2023 03:17:39.548490047 CEST4970417403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:39.703592062 CEST17403497043.22.15.135192.168.2.7
        Jun 2, 2023 03:17:39.703803062 CEST4970417403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:39.723170042 CEST17403497043.22.15.135192.168.2.7
        Jun 2, 2023 03:17:39.723527908 CEST4970417403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:43.786714077 CEST4970517403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:43.944698095 CEST17403497053.22.15.135192.168.2.7
        Jun 2, 2023 03:17:43.944829941 CEST4970517403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:43.984668016 CEST4970517403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:44.139517069 CEST17403497053.22.15.135192.168.2.7
        Jun 2, 2023 03:17:44.139671087 CEST4970517403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:44.294341087 CEST17403497053.22.15.135192.168.2.7
        Jun 2, 2023 03:17:44.294497013 CEST4970517403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:44.449165106 CEST17403497053.22.15.135192.168.2.7
        Jun 2, 2023 03:17:44.449296951 CEST4970517403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:44.467979908 CEST17403497053.22.15.135192.168.2.7
        Jun 2, 2023 03:17:44.468321085 CEST4970517403192.168.2.73.22.15.135
        Jun 2, 2023 03:17:49.026027918 CEST4970617403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:49.181377888 CEST17403497063.131.147.49192.168.2.7
        Jun 2, 2023 03:17:49.182033062 CEST4970617403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:49.182518959 CEST4970617403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:49.337843895 CEST17403497063.131.147.49192.168.2.7
        Jun 2, 2023 03:17:49.338016033 CEST4970617403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:49.493340015 CEST17403497063.131.147.49192.168.2.7
        Jun 2, 2023 03:17:49.493536949 CEST4970617403192.168.2.73.131.147.49
        Jun 2, 2023 03:17:49.649389029 CEST17403497063.131.147.49192.168.2.7

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jun 2, 2023 03:17:14.207670927 CEST6032653192.168.2.78.8.8.8
        Jun 2, 2023 03:17:14.233273029 CEST53603268.8.8.8192.168.2.7
        Jun 2, 2023 03:17:18.982705116 CEST5083553192.168.2.78.8.8.8
        Jun 2, 2023 03:17:19.004167080 CEST53508358.8.8.8192.168.2.7
        Jun 2, 2023 03:17:23.866841078 CEST5050553192.168.2.78.8.8.8
        Jun 2, 2023 03:17:23.902790070 CEST53505058.8.8.8192.168.2.7
        Jun 2, 2023 03:17:29.400700092 CEST6117853192.168.2.78.8.8.8
        Jun 2, 2023 03:17:29.446557045 CEST53611788.8.8.8192.168.2.7
        Jun 2, 2023 03:17:34.123019934 CEST6392653192.168.2.78.8.8.8
        Jun 2, 2023 03:17:34.143059015 CEST53639268.8.8.8192.168.2.7
        Jun 2, 2023 03:17:39.044580936 CEST5333653192.168.2.78.8.8.8
        Jun 2, 2023 03:17:39.071871996 CEST53533368.8.8.8192.168.2.7
        Jun 2, 2023 03:17:43.756937981 CEST5100753192.168.2.78.8.8.8
        Jun 2, 2023 03:17:43.785307884 CEST53510078.8.8.8192.168.2.7
        Jun 2, 2023 03:17:48.994874954 CEST5051353192.168.2.78.8.8.8
        Jun 2, 2023 03:17:49.023816109 CEST53505138.8.8.8192.168.2.7
        Jun 2, 2023 03:17:53.718583107 CEST6076553192.168.2.78.8.8.8
        Jun 2, 2023 03:17:53.742288113 CEST53607658.8.8.8192.168.2.7
        Jun 2, 2023 03:17:58.735143900 CEST5828353192.168.2.78.8.8.8
        Jun 2, 2023 03:17:58.765738010 CEST53582838.8.8.8192.168.2.7
        Jun 2, 2023 03:18:04.513411999 CEST5002453192.168.2.78.8.8.8
        Jun 2, 2023 03:18:04.542355061 CEST53500248.8.8.8192.168.2.7
        Jun 2, 2023 03:18:09.343749046 CEST4951653192.168.2.78.8.8.8
        Jun 2, 2023 03:18:09.367266893 CEST53495168.8.8.8192.168.2.7
        Jun 2, 2023 03:18:14.124124050 CEST6267953192.168.2.78.8.8.8
        Jun 2, 2023 03:18:14.160327911 CEST53626798.8.8.8192.168.2.7
        Jun 2, 2023 03:18:18.908082962 CEST6139253192.168.2.78.8.8.8
        Jun 2, 2023 03:18:18.937267065 CEST53613928.8.8.8192.168.2.7
        Jun 2, 2023 03:18:23.725902081 CEST5210453192.168.2.78.8.8.8
        Jun 2, 2023 03:18:23.753962994 CEST53521048.8.8.8192.168.2.7
        Jun 2, 2023 03:18:28.549869061 CEST6535653192.168.2.78.8.8.8
        Jun 2, 2023 03:18:28.578433037 CEST53653568.8.8.8192.168.2.7
        Jun 2, 2023 03:18:33.305336952 CEST5900653192.168.2.78.8.8.8
        Jun 2, 2023 03:18:33.334503889 CEST53590068.8.8.8192.168.2.7
        Jun 2, 2023 03:18:38.403458118 CEST5152653192.168.2.78.8.8.8
        Jun 2, 2023 03:18:38.437822104 CEST53515268.8.8.8192.168.2.7
        Jun 2, 2023 03:18:43.240406990 CEST5113953192.168.2.78.8.8.8
        Jun 2, 2023 03:18:43.265762091 CEST53511398.8.8.8192.168.2.7
        Jun 2, 2023 03:18:48.363512993 CEST5878453192.168.2.78.8.8.8
        Jun 2, 2023 03:18:48.391935110 CEST53587848.8.8.8192.168.2.7
        Jun 2, 2023 03:18:54.312196970 CEST5797053192.168.2.78.8.8.8
        Jun 2, 2023 03:18:54.332453012 CEST53579708.8.8.8192.168.2.7
        Jun 2, 2023 03:19:01.031968117 CEST6460853192.168.2.78.8.8.8
        Jun 2, 2023 03:19:01.060734034 CEST53646088.8.8.8192.168.2.7
        Jun 2, 2023 03:19:06.258625031 CEST5874653192.168.2.78.8.8.8
        Jun 2, 2023 03:19:06.279195070 CEST53587468.8.8.8192.168.2.7
        Jun 2, 2023 03:19:11.240745068 CEST6243353192.168.2.78.8.8.8
        Jun 2, 2023 03:19:11.255553961 CEST53624338.8.8.8192.168.2.7
        Jun 2, 2023 03:19:16.326858997 CEST6124853192.168.2.78.8.8.8
        Jun 2, 2023 03:19:16.356242895 CEST53612488.8.8.8192.168.2.7

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Jun 2, 2023 03:17:14.207670927 CEST192.168.2.78.8.8.80x8d3dStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:18.982705116 CEST192.168.2.78.8.8.80xa613Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:23.866841078 CEST192.168.2.78.8.8.80x40eStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:29.400700092 CEST192.168.2.78.8.8.80x2ac3Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:34.123019934 CEST192.168.2.78.8.8.80xb43Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:39.044580936 CEST192.168.2.78.8.8.80x3a6eStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:43.756937981 CEST192.168.2.78.8.8.80xccebStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:48.994874954 CEST192.168.2.78.8.8.80xf38aStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:53.718583107 CEST192.168.2.78.8.8.80x1006Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:58.735143900 CEST192.168.2.78.8.8.80x5260Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:04.513411999 CEST192.168.2.78.8.8.80x7ec0Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:09.343749046 CEST192.168.2.78.8.8.80xe177Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:14.124124050 CEST192.168.2.78.8.8.80x98c9Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:18.908082962 CEST192.168.2.78.8.8.80x621cStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:23.725902081 CEST192.168.2.78.8.8.80x863eStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:28.549869061 CEST192.168.2.78.8.8.80xb18fStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:33.305336952 CEST192.168.2.78.8.8.80xf9d4Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:38.403458118 CEST192.168.2.78.8.8.80xc2f6Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:43.240406990 CEST192.168.2.78.8.8.80x470fStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:48.363512993 CEST192.168.2.78.8.8.80x2450Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:54.312196970 CEST192.168.2.78.8.8.80x1efcStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:19:01.031968117 CEST192.168.2.78.8.8.80x26c1Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:19:06.258625031 CEST192.168.2.78.8.8.80xd77dStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:19:11.240745068 CEST192.168.2.78.8.8.80x6db7Standard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false
        Jun 2, 2023 03:19:16.326858997 CEST192.168.2.78.8.8.80xf75fStandard query (0)4.tcp.ngrok.ioA (IP address)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Jun 2, 2023 03:17:14.233273029 CEST8.8.8.8192.168.2.70x8d3dNo error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:19.004167080 CEST8.8.8.8192.168.2.70xa613No error (0)4.tcp.ngrok.io3.129.187.220A (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:23.902790070 CEST8.8.8.8192.168.2.70x40eNo error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:29.446557045 CEST8.8.8.8192.168.2.70x2ac3No error (0)4.tcp.ngrok.io3.131.147.49A (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:34.143059015 CEST8.8.8.8192.168.2.70xb43No error (0)4.tcp.ngrok.io3.131.147.49A (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:39.071871996 CEST8.8.8.8192.168.2.70x3a6eNo error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:43.785307884 CEST8.8.8.8192.168.2.70xccebNo error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:49.023816109 CEST8.8.8.8192.168.2.70xf38aNo error (0)4.tcp.ngrok.io3.131.147.49A (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:53.742288113 CEST8.8.8.8192.168.2.70x1006No error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:17:58.765738010 CEST8.8.8.8192.168.2.70x5260No error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:04.542355061 CEST8.8.8.8192.168.2.70x7ec0No error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:09.367266893 CEST8.8.8.8192.168.2.70xe177No error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:14.160327911 CEST8.8.8.8192.168.2.70x98c9No error (0)4.tcp.ngrok.io3.131.147.49A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:18.937267065 CEST8.8.8.8192.168.2.70x621cNo error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:23.753962994 CEST8.8.8.8192.168.2.70x863eNo error (0)4.tcp.ngrok.io3.131.147.49A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:28.578433037 CEST8.8.8.8192.168.2.70xb18fNo error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:33.334503889 CEST8.8.8.8192.168.2.70xf9d4No error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:38.437822104 CEST8.8.8.8192.168.2.70xc2f6No error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:43.265762091 CEST8.8.8.8192.168.2.70x470fNo error (0)4.tcp.ngrok.io3.131.147.49A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:48.391935110 CEST8.8.8.8192.168.2.70x2450No error (0)4.tcp.ngrok.io3.131.147.49A (IP address)IN (0x0001)false
        Jun 2, 2023 03:18:54.332453012 CEST8.8.8.8192.168.2.70x1efcNo error (0)4.tcp.ngrok.io3.131.147.49A (IP address)IN (0x0001)false
        Jun 2, 2023 03:19:01.060734034 CEST8.8.8.8192.168.2.70x26c1No error (0)4.tcp.ngrok.io3.131.147.49A (IP address)IN (0x0001)false
        Jun 2, 2023 03:19:06.279195070 CEST8.8.8.8192.168.2.70xd77dNo error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false
        Jun 2, 2023 03:19:11.255553961 CEST8.8.8.8192.168.2.70x6db7No error (0)4.tcp.ngrok.io3.131.147.49A (IP address)IN (0x0001)false
        Jun 2, 2023 03:19:16.356242895 CEST8.8.8.8192.168.2.70xf75fNo error (0)4.tcp.ngrok.io3.22.15.135A (IP address)IN (0x0001)false

        Statistics

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:03:17:11
        Start date:02/06/2023
        Path:C:\Users\user\Desktop\sqeCz4tgdW.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\Desktop\sqeCz4tgdW.exe
        Imagebase:0xba0000
        File size:207360 bytes
        MD5 hash:0CEA4EAF614191A2CF51ABD70A672ED9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
        • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.613140650.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth (Nextron Systems)
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000000.336434813.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
        • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.613534042.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.608684024.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
        Reputation:low

        General

        Target ID:1
        Start time:03:17:26
        Start date:02/06/2023
        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Imagebase:0x510000
        File size:207360 bytes
        MD5 hash:0CEA4EAF614191A2CF51ABD70A672ED9
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.385393945.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.385333810.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems)
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems)
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: ditekSHen
        • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: unknown
        Antivirus matches:
        • Detection: 100%, Avira
        • Detection: 100%, Joe Sandbox ML
        • Detection: 97%, ReversingLabs
        Reputation:low

        Disassembly

        No disassembly