Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:880637
MD5:8d93c7903bfd5900d72dbeb3b0968508
SHA1:fad787dd1ebae5cc64aaf7762dd6f49de50adfa7
SHA256:685522dda736e8c071fcc9dc4b7bb3d58c45f36828eb0b8ca8557e5ec56499ad
Tags:NETexeMSILx64zgRAT
Infos:

Detection

Nanocore, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5540 cmdline: C:\Users\user\Desktop\file.exe MD5: 8D93C7903BFD5900D72DBEB3B0968508)
    • CasPol.exe (PID: 5688 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6688 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6672 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6636 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • dhcpmon.exe (PID: 7020 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore
NameDescriptionAttributionBlogpost URLsLink
zgRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    file.exeMALWARE_Win_zgRATDetects zgRATditekSHen
    • 0x1011f:$s1: file:///
    • 0x1002d:$s2: {11111-22222-10009-11112}
    • 0x100af:$s3: {11111-22222-50001-00000}
    • 0xf54d:$s4: get_Module
    • 0xbf35:$s5: Reverse
    • 0xe4d6:$s6: BlockCopy
    • 0xc27b:$s7: ReadByte
    • 0x10131:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x2f0d:$a: NanoCore
      • 0x2f66:$a: NanoCore
      • 0x2fa3:$a: NanoCore
      • 0x301c:$a: NanoCore
      • 0x166c7:$a: NanoCore
      • 0x166dc:$a: NanoCore
      • 0x16711:$a: NanoCore
      • 0x2f18b:$a: NanoCore
      • 0x2f1a0:$a: NanoCore
      • 0x2f1d5:$a: NanoCore
      • 0x2f6f:$b: ClientPlugin
      • 0x2fac:$b: ClientPlugin
      • 0x38aa:$b: ClientPlugin
      • 0x38b7:$b: ClientPlugin
      • 0x16483:$b: ClientPlugin
      • 0x1649e:$b: ClientPlugin
      • 0x164ce:$b: ClientPlugin
      • 0x166e5:$b: ClientPlugin
      • 0x1671a:$b: ClientPlugin
      • 0x2ef47:$b: ClientPlugin
      • 0x2ef62:$b: ClientPlugin
      00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x2fa3:$a1: NanoCore.ClientPluginHost
      • 0x16711:$a1: NanoCore.ClientPluginHost
      • 0x2f1d5:$a1: NanoCore.ClientPluginHost
      • 0x2f66:$a2: NanoCore.ClientPlugin
      • 0x166dc:$a2: NanoCore.ClientPlugin
      • 0x2f1a0:$a2: NanoCore.ClientPlugin
      • 0x333a:$b1: get_BuilderSettings
      • 0x1b657:$b1: get_BuilderSettings
      • 0x3411b:$b1: get_BuilderSettings
      • 0x2ff1:$b4: IClientAppHost
      • 0x33ab:$b6: AddHostEntry
      • 0x341a:$b7: LogClientException
      • 0x1b5c6:$b7: LogClientException
      • 0x3408a:$b7: LogClientException
      • 0x338f:$b8: PipeExists
      • 0x2fde:$b9: IClientLoggingHost
      • 0x1672b:$b9: IClientLoggingHost
      • 0x2f1ef:$b9: IClientLoggingHost
      00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.CasPol.exe.5d90000.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      6.2.CasPol.exe.5d90000.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      6.2.CasPol.exe.5d90000.7.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        6.2.CasPol.exe.5d90000.7.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
        • 0xf778:$x2: NanoCore.ClientPlugin
        • 0xf7ad:$x3: NanoCore.ClientPluginHost
        • 0xf76c:$i2: IClientData
        • 0xf78e:$i3: IClientNetwork
        • 0xf79d:$i5: IClientDataHost
        • 0xf7c7:$i6: IClientLoggingHost
        • 0xf7da:$i7: IClientNetworkHost
        • 0xf7ed:$i8: IClientUIHost
        • 0xf7fb:$i9: IClientNameObjectCollection
        • 0xf817:$i10: IClientReadOnlyNameObjectCollection
        • 0xf56a:$s1: ClientPlugin
        • 0xf781:$s1: ClientPlugin
        • 0x147a2:$s6: get_ClientSettings
        6.2.CasPol.exe.5d90000.7.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
        • 0xf7ad:$a1: NanoCore.ClientPluginHost
        • 0xf778:$a2: NanoCore.ClientPlugin
        • 0x146f3:$b1: get_BuilderSettings
        • 0x14662:$b7: LogClientException
        • 0xf7c7:$b9: IClientLoggingHost
        Click to see the 61 entries

        Sigma Signatures

        AV Detection

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for submitted file
        Source: file.exeReversingLabs: Detection: 43%
        Source: file.exeVirustotal: Detection: 38%Perma Link
        Antivirus / Scanner detection for submitted sample
        Source: file.exeAvira: detected
        Antivirus detection for URL or domain
        Source: ezemnia3.ddns.netAvira URL Cloud: Label: malware
        Source: 91.193.75.178Avira URL Cloud: Label: malware
        Multi AV Scanner detection for domain / URL
        Source: ezemnia3.ddns.netVirustotal: Detection: 6%Perma Link
        Source: ezemnia3.ddns.netVirustotal: Detection: 6%Perma Link
        Source: 91.193.75.178Virustotal: Detection: 13%Perma Link
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTR
        Machine Learning detection for sample
        Source: file.exeJoe Sandbox ML: detected
        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.549229090.00000145C19F0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.549352152.00000145C327A000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: NNnBbBb88837363.pdb source: file.exe
        Source: Binary string: caspol.pdbdv source: CasPol.exe, 00000006.00000003.550917074.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000007.00000000.571315354.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, dhcpmon.exe.6.dr
        Source: Binary string: b77a5c561934e089\mscorlib.pdb source: CasPol.exe, 00000006.00000002.804277570.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: caspol.pdb source: CasPol.exe, 00000006.00000003.550917074.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000007.00000000.571315354.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, dhcpmon.exe.6.dr

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: ezemnia3.ddns.net
        Source: Malware configuration extractorURLs: 91.193.75.178
        Uses dynamic DNS services
        Source: unknownDNS query: name: ezemnia3.ddns.net
        Source: Joe Sandbox ViewASN Name: VCG-ASNG VCG-ASNG
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: global trafficTCP traffic: 192.168.2.4:49695 -> 197.210.227.232:62335
        Source: global trafficTCP traffic: 192.168.2.4:49701 -> 91.193.75.178:62335
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
        Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
        Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
        Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
        Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
        Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
        Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
        Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
        Source: file.exeString found in binary or memory: http://ocsp.digicert.com0
        Source: file.exeString found in binary or memory: http://ocsp.digicert.com0A
        Source: file.exeString found in binary or memory: http://ocsp.digicert.com0C
        Source: file.exeString found in binary or memory: http://ocsp.digicert.com0X
        Source: file.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: file.exeString found in binary or memory: http://s.symcd.com06
        Source: CasPol.exe, 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: file.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: file.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: file.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: file.exeString found in binary or memory: http://www.digicert.com/CPS0
        Source: file.exeString found in binary or memory: https://d.symcb.com/cps0%
        Source: file.exeString found in binary or memory: https://d.symcb.com/rpa0
        Source: file.exeString found in binary or memory: https://d.symcb.com/rpa0.
        Source: unknownDNS traffic detected: queries for: ezemnia3.ddns.net
        Source: CasPol.exe, 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud

        barindex
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: file.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.2.file.exe.145c1610000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.0.file.exe.145c1610000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.2.file.exe.145c1610000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.0.file.exe.145c1610000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_011DE471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_011DE480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_011DBBD4
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_06270040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02C60958
        Source: file.exeStatic PE information: No import functions for PE file found
        Source: file.exeBinary or memory string: OriginalFilename vs file.exe
        Source: file.exe, 00000000.00000002.549229090.00000145C19F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
        Source: file.exe, 00000000.00000002.548528869.00000145C185C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
        Source: file.exe, 00000000.00000002.549352152.00000145C327A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
        Source: file.exeBinary or memory string: OriginalFilenameNNnBbBb88837363.exe@ vs file.exe
        Source: file.exeStatic PE information: invalid certificate
        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: file.exeReversingLabs: Detection: 43%
        Source: file.exeVirustotal: Detection: 38%
        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@6/2
        Source: 7.0.dhcpmon.exe.a20000.0.unpack, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.0.dhcpmon.exe.a20000.0.unpack, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: dhcpmon.exe.6.dr, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: dhcpmon.exe.6.dr, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: file.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
        Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{954449b5-566c-46fe-92f0-8eb82a7f77b0}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: file.exe, eIQBFj4YOoPaQh0jeI/hWJSDt1cbIHhwB8IyT.csCryptographic APIs: 'CreateDecryptor'
        Source: file.exe, eIQBFj4YOoPaQh0jeI/hWJSDt1cbIHhwB8IyT.csCryptographic APIs: 'CreateDecryptor'
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.549229090.00000145C19F0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.549352152.00000145C327A000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: NNnBbBb88837363.pdb source: file.exe
        Source: Binary string: caspol.pdbdv source: CasPol.exe, 00000006.00000003.550917074.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000007.00000000.571315354.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, dhcpmon.exe.6.dr
        Source: Binary string: b77a5c561934e089\mscorlib.pdb source: CasPol.exe, 00000006.00000002.804277570.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: caspol.pdb source: CasPol.exe, 00000006.00000003.550917074.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000007.00000000.571315354.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, dhcpmon.exe.6.dr

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: file.exe, eL5q8HsERTwMsdrqmV/uo8s0vg8A5M29mVwMB.cs.Net Code: uo8gs0v8A System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        .NET source code contains method to dynamically call methods (often used by packers)
        Source: file.exe, eIQBFj4YOoPaQh0jeI/hWJSDt1cbIHhwB8IyT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8161752A0 push ebx; retf
        Source: file.exeStatic PE information: real checksum: 0xd69ae should be: 0xd2b30
        Source: file.exeStatic PE information: 0xC358B1DE [Wed Nov 8 12:30:22 2073 UTC]
        Source: initial sampleStatic PE information: section name: .text entropy: 7.952638566367337
        Source: file.exe, eIQBFj4YOoPaQh0jeI/hWJSDt1cbIHhwB8IyT.csHigh entropy of concatenated method names: '.cctor', 'xbQ5ZiM2QQOJI', 'QeO1hXjX2', 'PTA4ALlxk', 'wgDGkBauJ', 'jynTfrlxm', 'TKPRtMKRt', 'fjTYr7jq5', 'HngPRVud2', 'VL2FB9Np1'
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\file.exe TID: 5512Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6804Thread sleep time: -13835058055282155s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4948Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9582
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: foregroundWindowGot 1142
        Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: CasPol.exe, 00000006.00000002.804277570.0000000000E22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
        Source: C:\Users\user\Desktop\file.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 420000
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 422000
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: AB9008
        .NET source code references suspicious native API functions
        Source: file.exe, eIQBFj4YOoPaQh0jeI/hWJSDt1cbIHhwB8IyT.csReference to suspicious API methods: ('BUUqp5gVv', 'GetProcAddress@kernel32'), ('i4KotaHEv', 'LoadLibrary@kernel32')
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: CasPol.exe, 00000006.00000002.805344954.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.805344954.0000000003338000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.805344954.0000000003021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerH
        Source: CasPol.exe, 00000006.00000002.805344954.000000000328D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.805344954.000000000321F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.809918412.00000000068BD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: CasPol.exe, 00000006.00000002.805344954.0000000003338000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerPZ
        Source: CasPol.exe, 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert
        Source: CasPol.exe, 00000006.00000002.805344954.000000000328D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerHa
        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Yara detected zgRAT
        Source: Yara matchFile source: file.exe, type: SAMPLE
        Source: Yara matchFile source: 0.2.file.exe.145c1610000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.file.exe.145c1610000.0.unpack, type: UNPACKEDPE
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected zgRAT
        Source: Yara matchFile source: file.exe, type: SAMPLE
        Source: Yara matchFile source: 0.2.file.exe.145c1610000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.file.exe.145c1610000.0.unpack, type: UNPACKEDPE
        Detected Nanocore Rat
        Source: file.exe, 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: CasPol.exe, 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: CasPol.exe, 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: CasPol.exe, 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Native API        		Path Interception312
        Process Injection        		2
        Masquerading        		11
        Input Capture        		1
        Security Software Discovery        		Remote Services11
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop Protocol11
        Archive Collected Data        		Exfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
        Virtualization/Sandbox Evasion        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Remote Access Software        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer1
        Non-Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets12
        System Information Discovery        		SSHKeyloggingData Transfer Size Limits21
        Application Layer Protocol        		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Hidden Files and Directories        		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items2
        Obfuscated Files or Information        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job22
        Software Packing        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
        Timestomp        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        file.exe43%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        file.exe39%VirustotalBrowse
        file.exe100%AviraHEUR/AGEN.1325558
        file.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        ezemnia3.ddns.net7%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        ezemnia3.ddns.net7%VirustotalBrowse
        91.193.75.17813%VirustotalBrowse
        ezemnia3.ddns.net100%Avira URL Cloudmalware
        91.193.75.178100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ezemnia3.ddns.net
        		197.210.227.232
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        ezemnia3.ddns.nettrue
        • 7%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        91.193.75.178true
        • 13%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmpfalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          197.210.227.232
          		ezemnia3.ddns.netNigeria
          		29465VCG-ASNGtrue
          91.193.75.178
          		unknownSerbia
          		209623DAVID_CRAIGGGtrue

          General Information

          Joe Sandbox Version:37.1.0 Beryl
          Analysis ID:880637
          Start date and time:2023-06-02 15:37:42 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 10m 48s
          Hypervisor based Inspection enabled:false
          Report type:light
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:9
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:file.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@11/5@6/2
          EGA Information:
          • Successful, ratio: 33.3%
          HDC Information:
          • Successful, ratio: 23.3% (good quality ratio 19.9%)
          • Quality average: 56.3%
          • Quality standard deviation: 33.9%
          HCA Information:
          • Successful, ratio: 80%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
          • Execution Graph export aborted for target dhcpmon.exe, PID 7020 because it is empty
          • Execution Graph export aborted for target file.exe, PID 5540 because it is empty
          • Not all processes where analyzed, report is missing behavior information

          Simulations

          Behavior and APIs

          TimeTypeDescription
          15:38:43API Interceptor1003x Sleep call for process: CasPol.exe modified
          15:38:44AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):107624
          Entropy (8bit):5.882571203162287
          Encrypted:false
          SSDEEP:1536:oSF7vA1hRqHixxMjlI34j8p2mdc/6A4vW/CU1RPMRVQJE:/A1hDPMip2mdcyA4vW/JRPMLQW
          MD5:F866FC1C2E928779C7119353C3091F0C
          SHA1:70D06064E2F12CFB10A82BC985F86F58EA7A4138
          SHA-256:67F3FC243C58EEAE55BDDC22CE025B7841A89ACA2E201B999D8C0E4F07D177B8
          SHA-512:B28B10801580726B85AB5F796EA26835648A3ACFBE1FBA95DFC687439B43FF9548BD3AB9EFC85D88FC071D232718BCFFAC614CC5BFF159173996A3D2AB22154D
          Malicious:false
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rX.Z..............0..X...........v... ........@.. ..............................Q.....`.................................<v..O.......$............f..h>...........u............................................... ............... ..H............text....V... ...X.................. ..`.rsrc...$............Z..............@..@.reloc...............d..............@..B................pv......H.......,...`...............xE...t......................................2~P....o....*.r...p(....*VrK..p(....s.....P...*..0.._.......~....:O....>.....%.rm..p...A...s......su....%.r...p...A...s....rm..p.su....%.r...p...B...s......su....%.r...p...B...s....r...p.su....%.r...p...C...s......su....%.r...p...C...s....r...p.su....%.r...p...D...s......su....%.r...p...D...s....r...p.su....%.r...p...E...s......su....%..r...p...E...s....r...p.su....%..r...p...F...s......su....%..r...p...F

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

          Download File
          Process:C:\Users\user\Desktop\file.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):226
          Entropy (8bit):5.354940450065058
          Encrypted:false
          SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
          MD5:B10E37251C5B495643F331DB2EEC3394
          SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
          SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
          SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
          Malicious:true
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

          Download File
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):42
          Entropy (8bit):4.0050635535766075
          Encrypted:false
          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
          MD5:84CFDB4B995B1DBF543B26B86C863ADC
          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
          Malicious:false
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          File Type:Non-ISO extended-ASCII text, with no line terminators
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:YD:YD
          MD5:B9FAA684C030A959ECE6EDA0744AFD35
          SHA1:1CF54F509326FE102FC5EAEDB7A40FD01596867B
          SHA-256:473C5B472D03FC596D7FD7A483C62F9A54E839F21F81C8C21F5222A800F1C8E3
          SHA-512:6F50C9464093DA3735B6DF7E4F076A1C92CDFC14BC1B03D287EAC4F622130E9FE65EB4B168A3F30B8BA69C7FC42111566766BD84DC137E6EA2AFC82AB694BFA0
          Malicious:true
          Preview:....nc.H

          \Device\ConDrv

          Download File
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):486
          Entropy (8bit):5.064987733454706
          Encrypted:false
          SSDEEP:12:z30U30b4BFNY8fNFquci7S1pE+DPOCN6+QOH5JyY:z3F3g4DO4UE+Tz5JB
          MD5:30394F72BB157162F35A2DEB1F48BD1A
          SHA1:66AD7D748F42C64E0698606A8F019D165DE657E8
          SHA-256:133FABF0CD558FA3E5144E9EF35654FA0422F8424C6D5D82828B8D10EC9BA295
          SHA-512:A93E12D6C9927403FE0E20B8A698B24007EBCCD53A29AD65428366C6CE3CED05E5F3AEFF1D46C7D9F174EAEAE5059F0B5D12353B6022965CDC5D187E45FA72E9
          Malicious:false
          Preview:Microsoft .NET Framework CasPol 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....WARNING: The .NET Framework does not apply CAS policy by default. Any settings shown or modified by CasPol will only ..affect applications that opt into using CAS policy. ....Please see http://go.microsoft.com/fwlink/?LinkId=131738 for more information. ......ERROR: Not enough arguments....For usage information, use 'caspol -?'..

          Static File Info

          General

          File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.944928855592647
          TrID:
          • Win64 Executable GUI Net Framework (217006/5) 49.88%
          • Win64 Executable GUI (202006/5) 46.43%
          • Win64 Executable (generic) (12005/4) 2.76%
          • Generic Win/DOS Executable (2004/3) 0.46%
          • DOS Executable Generic (2002/1) 0.46%
          File name:file.exe
          File size:834112
          MD5:8d93c7903bfd5900d72dbeb3b0968508
          SHA1:fad787dd1ebae5cc64aaf7762dd6f49de50adfa7
          SHA256:685522dda736e8c071fcc9dc4b7bb3d58c45f36828eb0b8ca8557e5ec56499ad
          SHA512:c6a36b15350a8579d81f6d9fa9b3f069251dcee996f2047a2b6c60bd4c1705b4bb1a3a954ead68378119c460db385a554901950a7240ca40b54ed589d9bf46e1
          SSDEEP:24576:0mr0x3EEEfgYsSKS+KY9Zl6IX+OPZjv8+i0YUlo4:0mry3EEWKHrLPZjvpzlo4
          TLSH:070512697744348DC81BC8B1D9EA0C3167A277AB6777C3073147128E8E8E7D6CF581A6
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....X...............0..T............... ....@...... ...............................i....`...@......@............... .....

          File Icon

          Icon Hash:526c6a52d0e4f047

          Static PE Info

          General

          Entrypoint:0x400000
          Entrypoint Section:
          Digitally signed:true
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0xC358B1DE [Wed Nov 8 12:30:22 2073 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:

          Authenticode Signature

          Signature Valid:false
          Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
          Signature Validation Error:The digital signature of the object did not verify
          Error Number:-2146869232
          Not Before, Not After
          • 12/13/2021 1:00:00 AM 1/9/2025 12:59:59 AM
          Subject Chain
          • CN=philandro Software GmbH, O=philandro Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
          Version:3
          Thumbprint MD5:EAE713DFC05244CF4301BF1C9F68B1BE
          Thumbprint SHA-1:9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE
          Thumbprint SHA-256:9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF
          Serial:0DBF152DEAF0B981A8A938D53F769DB8

          Entrypoint Preview

          Instruction
          dec ebp
          pop edx
          nop
          add byte ptr [ebx], al
          add byte ptr [eax], al
          add byte ptr [eax+eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x1c1a.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0xc74000x4640
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0xc73880x1c.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xc53d00xc5400False0.9533168468789607data7.952638566367337IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0xc80000x1c1a0x1e00False0.33098958333333334data5.310141871037977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_ICON0xc81b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
          RT_ICON0xc92580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
          RT_GROUP_ICON0xc96c00x22data
          RT_VERSION0xc96e40x34cdata
          RT_MANIFEST0xc9a300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jun 2, 2023 15:38:45.180541039 CEST4969562335192.168.2.4197.210.227.232
          Jun 2, 2023 15:38:48.188280106 CEST4969562335192.168.2.4197.210.227.232
          Jun 2, 2023 15:38:54.189002037 CEST4969562335192.168.2.4197.210.227.232
          Jun 2, 2023 15:39:05.644177914 CEST4969662335192.168.2.4197.210.227.232
          Jun 2, 2023 15:39:08.658771038 CEST4969662335192.168.2.4197.210.227.232
          Jun 2, 2023 15:39:14.659281969 CEST4969662335192.168.2.4197.210.227.232
          Jun 2, 2023 15:39:24.280808926 CEST4970062335192.168.2.4197.210.227.232
          Jun 2, 2023 15:39:27.285420895 CEST4970062335192.168.2.4197.210.227.232
          Jun 2, 2023 15:39:33.285824060 CEST4970062335192.168.2.4197.210.227.232
          Jun 2, 2023 15:39:42.834573030 CEST4970162335192.168.2.491.193.75.178
          Jun 2, 2023 15:39:42.879101038 CEST623354970191.193.75.178192.168.2.4
          Jun 2, 2023 15:39:43.380434990 CEST4970162335192.168.2.491.193.75.178
          Jun 2, 2023 15:39:43.425004959 CEST623354970191.193.75.178192.168.2.4
          Jun 2, 2023 15:39:43.927361965 CEST4970162335192.168.2.491.193.75.178
          Jun 2, 2023 15:39:43.972152948 CEST623354970191.193.75.178192.168.2.4
          Jun 2, 2023 15:39:47.977063894 CEST4970262335192.168.2.491.193.75.178
          Jun 2, 2023 15:39:48.021768093 CEST623354970291.193.75.178192.168.2.4
          Jun 2, 2023 15:39:48.537118912 CEST4970262335192.168.2.491.193.75.178
          Jun 2, 2023 15:39:48.581811905 CEST623354970291.193.75.178192.168.2.4
          Jun 2, 2023 15:39:49.099692106 CEST4970262335192.168.2.491.193.75.178
          Jun 2, 2023 15:39:49.144428968 CEST623354970291.193.75.178192.168.2.4
          Jun 2, 2023 15:39:53.149203062 CEST4970362335192.168.2.491.193.75.178
          Jun 2, 2023 15:39:53.193831921 CEST623354970391.193.75.178192.168.2.4
          Jun 2, 2023 15:39:53.709573030 CEST4970362335192.168.2.491.193.75.178
          Jun 2, 2023 15:39:53.754199982 CEST623354970391.193.75.178192.168.2.4
          Jun 2, 2023 15:39:54.257426023 CEST4970362335192.168.2.491.193.75.178
          Jun 2, 2023 15:39:54.301930904 CEST623354970391.193.75.178192.168.2.4
          Jun 2, 2023 15:39:58.480582952 CEST4970462335192.168.2.4197.210.227.232
          Jun 2, 2023 15:40:01.491422892 CEST4970462335192.168.2.4197.210.227.232
          Jun 2, 2023 15:40:07.507503986 CEST4970462335192.168.2.4197.210.227.232
          Jun 2, 2023 15:40:17.230046034 CEST4970562335192.168.2.4197.210.227.232
          Jun 2, 2023 15:40:20.243091106 CEST4970562335192.168.2.4197.210.227.232
          Jun 2, 2023 15:40:26.243532896 CEST4970562335192.168.2.4197.210.227.232
          Jun 2, 2023 15:40:26.515712976 CEST6233549705197.210.227.232192.168.2.4
          Jun 2, 2023 15:40:30.753041983 CEST4970662335192.168.2.4197.210.227.232
          Jun 2, 2023 15:40:30.930021048 CEST6233549706197.210.227.232192.168.2.4
          Jun 2, 2023 15:40:31.431394100 CEST4970662335192.168.2.4197.210.227.232
          Jun 2, 2023 15:40:31.612078905 CEST6233549706197.210.227.232192.168.2.4
          Jun 2, 2023 15:40:32.119024038 CEST4970662335192.168.2.4197.210.227.232
          Jun 2, 2023 15:40:32.291821003 CEST6233549706197.210.227.232192.168.2.4
          Jun 2, 2023 15:40:36.308774948 CEST4970762335192.168.2.491.193.75.178
          Jun 2, 2023 15:40:36.353142023 CEST623354970791.193.75.178192.168.2.4
          Jun 2, 2023 15:40:36.869467020 CEST4970762335192.168.2.491.193.75.178
          Jun 2, 2023 15:40:36.913860083 CEST623354970791.193.75.178192.168.2.4
          Jun 2, 2023 15:40:37.416409016 CEST4970762335192.168.2.491.193.75.178
          Jun 2, 2023 15:40:37.460726976 CEST623354970791.193.75.178192.168.2.4
          Jun 2, 2023 15:40:41.466217041 CEST4970862335192.168.2.491.193.75.178
          Jun 2, 2023 15:40:41.513715029 CEST623354970891.193.75.178192.168.2.4
          Jun 2, 2023 15:40:42.026073933 CEST4970862335192.168.2.491.193.75.178
          Jun 2, 2023 15:40:42.070286989 CEST623354970891.193.75.178192.168.2.4
          Jun 2, 2023 15:40:42.572973013 CEST4970862335192.168.2.491.193.75.178
          Jun 2, 2023 15:40:42.617302895 CEST623354970891.193.75.178192.168.2.4

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jun 2, 2023 15:38:45.139378071 CEST5223953192.168.2.48.8.8.8
          Jun 2, 2023 15:38:45.165621996 CEST53522398.8.8.8192.168.2.4
          Jun 2, 2023 15:39:05.603955030 CEST5680753192.168.2.48.8.8.8
          Jun 2, 2023 15:39:05.639246941 CEST53568078.8.8.8192.168.2.4
          Jun 2, 2023 15:39:24.258562088 CEST5944453192.168.2.48.8.8.8
          Jun 2, 2023 15:39:24.279351950 CEST53594448.8.8.8192.168.2.4
          Jun 2, 2023 15:39:58.447350979 CEST5557053192.168.2.48.8.8.8
          Jun 2, 2023 15:39:58.473865986 CEST53555708.8.8.8192.168.2.4
          Jun 2, 2023 15:40:17.157872915 CEST6490653192.168.2.48.8.8.8
          Jun 2, 2023 15:40:17.197916031 CEST53649068.8.8.8192.168.2.4
          Jun 2, 2023 15:40:30.706660032 CEST5944653192.168.2.48.8.8.8
          Jun 2, 2023 15:40:30.741974115 CEST53594468.8.8.8192.168.2.4

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Jun 2, 2023 15:38:45.139378071 CEST192.168.2.48.8.8.80xfd5Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
          Jun 2, 2023 15:39:05.603955030 CEST192.168.2.48.8.8.80xb8b7Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
          Jun 2, 2023 15:39:24.258562088 CEST192.168.2.48.8.8.80x154cStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
          Jun 2, 2023 15:39:58.447350979 CEST192.168.2.48.8.8.80xfe37Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
          Jun 2, 2023 15:40:17.157872915 CEST192.168.2.48.8.8.80x9593Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
          Jun 2, 2023 15:40:30.706660032 CEST192.168.2.48.8.8.80xbb35Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Jun 2, 2023 15:38:45.165621996 CEST8.8.8.8192.168.2.40xfd5No error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false
          Jun 2, 2023 15:39:05.639246941 CEST8.8.8.8192.168.2.40xb8b7No error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false
          Jun 2, 2023 15:39:24.279351950 CEST8.8.8.8192.168.2.40x154cNo error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false
          Jun 2, 2023 15:39:58.473865986 CEST8.8.8.8192.168.2.40xfe37No error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false
          Jun 2, 2023 15:40:17.197916031 CEST8.8.8.8192.168.2.40x9593No error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false
          Jun 2, 2023 15:40:30.741974115 CEST8.8.8.8192.168.2.40xbb35No error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:15:38:37
          Start date:02/06/2023
          Path:C:\Users\user\Desktop\file.exe
          Wow64 process (32bit):false
          Commandline:C:\Users\user\Desktop\file.exe
          Imagebase:0x145c1610000
          File size:834112 bytes
          MD5 hash:8D93C7903BFD5900D72DBEB3B0968508
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:low

          General

          Target ID:3
          Start time:15:38:39
          Start date:02/06/2023
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
          Imagebase:0x330000
          File size:107624 bytes
          MD5 hash:F866FC1C2E928779C7119353C3091F0C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          General

          Target ID:4
          Start time:15:38:40
          Start date:02/06/2023
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
          Imagebase:0x150000
          File size:107624 bytes
          MD5 hash:F866FC1C2E928779C7119353C3091F0C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          General

          Target ID:5
          Start time:15:38:40
          Start date:02/06/2023
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
          Imagebase:0x100000
          File size:107624 bytes
          MD5 hash:F866FC1C2E928779C7119353C3091F0C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          General

          Target ID:6
          Start time:15:38:40
          Start date:02/06/2023
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
          Imagebase:0x800000
          File size:107624 bytes
          MD5 hash:F866FC1C2E928779C7119353C3091F0C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
          Reputation:moderate

          General

          Target ID:7
          Start time:15:38:52
          Start date:02/06/2023
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
          Imagebase:0xa20000
          File size:107624 bytes
          MD5 hash:F866FC1C2E928779C7119353C3091F0C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:.Net C# or VB.NET
          Antivirus matches:
          • Detection: 0%, ReversingLabs
          Reputation:moderate

          General

          Target ID:8
          Start time:15:38:52
          Start date:02/06/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7c72c0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high

          Disassembly

          No disassembly