Edit tour

Windows Analysis Report
Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Overview

General Information

Sample Name:	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Analysis ID:	881372
MD5:	d2c96c075741ccd8bed558e39838a59d
SHA1:	09667b1bef10f69697d997a26d9d963dfe4bdeb3
SHA256:	d2a573edc893e24fbf245c4f8f918ec3b4f04fab928f073a24da3cb741d18388
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary is likely a compiled AutoIt script file

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to call native functions

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a start menu entry (Start Menu\Programs\Startup)

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe (PID: 7044 cmdline: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe MD5: D2C96C075741CCD8BED558E39838A59D)

MSBuild.exe (PID: 5980 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)

schtasks.exe (PID: 5916 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 5744 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0 MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 3100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

znytpstdcrwsisx.exe (PID: 5292 cmdline: "C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe" MD5: A360B0402DD16AE837F59D09E1BF3B3C)

MSBuild.exe (PID: 5944 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.morphisec.com/syk-crypter-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2ad4e32f-c687-4329-b5e5-302ef0e0", "Group": "Default", "Domain1": "nickdns22.duckdns.org", "Domain2": "127.0.0.1", "Port": 1896, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url	Methodology_Suspicious_Shortcut_Local_URL	Detects local script usage for .URL persistence	@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)	0x14:$file: URL=file:/// 0x71:$file: URL=file:/// 0x0:$url_explicit: [InternetShortcut] 0x5d:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xfd9d:$x1: NanoCore.ClientPluginHost 0xfdda:$x2: IClientNetworkHost 0x1390d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfb05:$a: NanoCore 0xfb15:$a: NanoCore 0xfd49:$a: NanoCore 0xfd5d:$a: NanoCore 0xfd9d:$a: NanoCore 0xfb64:$b: ClientPlugin 0xfd66:$b: ClientPlugin 0xfda6:$b: ClientPlugin 0xfc8b:$c: ProjectData 0x10692:$d: DESCrypto 0x1805e:$e: KeepAlive 0x1604c:$g: LogClientMessage 0x12247:$i: get_Connected 0x109c8:$j: #=q 0x109f8:$j: #=q 0x10a14:$j: #=q 0x10a44:$j: #=q 0x10a60:$j: #=q 0x10a7c:$j: #=q 0x10aac:$j: #=q 0x10ac8:$j: #=q
00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfd9d:$a1: NanoCore.ClientPluginHost 0xfd5d:$a2: NanoCore.ClientPlugin 0x11cb6:$b1: get_BuilderSettings 0xfbb9:$b2: ClientLoaderForm.resources 0x113d6:$b3: PluginCommand 0xfd8e:$b4: IClientAppHost 0x1a20e:$b5: GetBlockHash 0x1230e:$b6: AddHostEntry 0x16001:$b7: LogClientException 0x1227b:$b8: PipeExists 0xfdc7:$b9: IClientLoggingHost
00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x35a4d:$x1: NanoCore.ClientPluginHost 0x35a8a:$x2: IClientNetworkHost 0x395bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x357b5:$a: NanoCore 0x357c5:$a: NanoCore 0x359f9:$a: NanoCore 0x35a0d:$a: NanoCore 0x35a4d:$a: NanoCore 0x35814:$b: ClientPlugin 0x35a16:$b: ClientPlugin 0x35a56:$b: ClientPlugin 0x3593b:$c: ProjectData 0x36342:$d: DESCrypto 0x3dd0e:$e: KeepAlive 0x3bcfc:$g: LogClientMessage 0x37ef7:$i: get_Connected 0x36678:$j: #=q 0x366a8:$j: #=q 0x366c4:$j: #=q 0x366f4:$j: #=q 0x36710:$j: #=q 0x3672c:$j: #=q 0x3675c:$j: #=q 0x36778:$j: #=q
00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x35a4d:$a1: NanoCore.ClientPluginHost 0x35a0d:$a2: NanoCore.ClientPlugin 0x37966:$b1: get_BuilderSettings 0x35869:$b2: ClientLoaderForm.resources 0x37086:$b3: PluginCommand 0x35a3e:$b4: IClientAppHost 0x3febe:$b5: GetBlockHash 0x37fbe:$b6: AddHostEntry 0x3bcb1:$b7: LogClientException 0x37f2b:$b8: PipeExists 0x35a77:$b9: IClientLoggingHost
00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10175:$x1: NanoCore.ClientPluginHost 0x101b2:$x2: IClientNetworkHost 0x13ce5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfedd:$a: NanoCore 0xfeed:$a: NanoCore 0x10121:$a: NanoCore 0x10135:$a: NanoCore 0x10175:$a: NanoCore 0xff3c:$b: ClientPlugin 0x1013e:$b: ClientPlugin 0x1017e:$b: ClientPlugin 0x10063:$c: ProjectData 0x10a6a:$d: DESCrypto 0x18436:$e: KeepAlive 0x16424:$g: LogClientMessage 0x1261f:$i: get_Connected 0x10da0:$j: #=q 0x10dd0:$j: #=q 0x10dec:$j: #=q 0x10e1c:$j: #=q 0x10e38:$j: #=q 0x10e54:$j: #=q 0x10e84:$j: #=q 0x10ea0:$j: #=q
00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10175:$a1: NanoCore.ClientPluginHost 0x10135:$a2: NanoCore.ClientPlugin 0x1208e:$b1: get_BuilderSettings 0xff91:$b2: ClientLoaderForm.resources 0x117ae:$b3: PluginCommand 0x10166:$b4: IClientAppHost 0x1a5e6:$b5: GetBlockHash 0x126e6:$b6: AddHostEntry 0x163d9:$b7: LogClientException 0x12653:$b8: PipeExists 0x1019f:$b9: IClientLoggingHost
00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1139d:$x1: NanoCore.ClientPluginHost 0x113da:$x2: IClientNetworkHost 0x14f0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11105:$a: NanoCore 0x11115:$a: NanoCore 0x11349:$a: NanoCore 0x1135d:$a: NanoCore 0x1139d:$a: NanoCore 0x11164:$b: ClientPlugin 0x11366:$b: ClientPlugin 0x113a6:$b: ClientPlugin 0x1128b:$c: ProjectData 0x11c92:$d: DESCrypto 0x1965e:$e: KeepAlive 0x1764c:$g: LogClientMessage 0x13847:$i: get_Connected 0x11fc8:$j: #=q 0x11ff8:$j: #=q 0x12014:$j: #=q 0x12044:$j: #=q 0x12060:$j: #=q 0x1207c:$j: #=q 0x120ac:$j: #=q 0x120c8:$j: #=q
00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1139d:$a1: NanoCore.ClientPluginHost 0x1135d:$a2: NanoCore.ClientPlugin 0x132b6:$b1: get_BuilderSettings 0x111b9:$b2: ClientLoaderForm.resources 0x129d6:$b3: PluginCommand 0x1138e:$b4: IClientAppHost 0x1b80e:$b5: GetBlockHash 0x1390e:$b6: AddHostEntry 0x17601:$b7: LogClientException 0x1387b:$b8: PipeExists 0x113c7:$b9: IClientLoggingHost
00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf39d:$x1: NanoCore.ClientPluginHost 0xf3da:$x2: IClientNetworkHost 0x12f0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf105:$a: NanoCore 0xf115:$a: NanoCore 0xf349:$a: NanoCore 0xf35d:$a: NanoCore 0xf39d:$a: NanoCore 0xf164:$b: ClientPlugin 0xf366:$b: ClientPlugin 0xf3a6:$b: ClientPlugin 0xf28b:$c: ProjectData 0xfc92:$d: DESCrypto 0x1765e:$e: KeepAlive 0x1564c:$g: LogClientMessage 0x11847:$i: get_Connected 0xffc8:$j: #=q 0xfff8:$j: #=q 0x10014:$j: #=q 0x10044:$j: #=q 0x10060:$j: #=q 0x1007c:$j: #=q 0x100ac:$j: #=q 0x100c8:$j: #=q
00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf39d:$a1: NanoCore.ClientPluginHost 0xf35d:$a2: NanoCore.ClientPlugin 0x112b6:$b1: get_BuilderSettings 0xf1b9:$b2: ClientLoaderForm.resources 0x109d6:$b3: PluginCommand 0xf38e:$b4: IClientAppHost 0x1980e:$b5: GetBlockHash 0x1190e:$b6: AddHostEntry 0x15601:$b7: LogClientException 0x1187b:$b8: PipeExists 0xf3c7:$b9: IClientLoggingHost
00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf9a5:$x1: NanoCore.ClientPluginHost 0xf9e2:$x2: IClientNetworkHost 0x13515:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf70d:$a: NanoCore 0xf71d:$a: NanoCore 0xf951:$a: NanoCore 0xf965:$a: NanoCore 0xf9a5:$a: NanoCore 0xf76c:$b: ClientPlugin 0xf96e:$b: ClientPlugin 0xf9ae:$b: ClientPlugin 0xf893:$c: ProjectData 0x1029a:$d: DESCrypto 0x17c66:$e: KeepAlive 0x15c54:$g: LogClientMessage 0x11e4f:$i: get_Connected 0x105d0:$j: #=q 0x10600:$j: #=q 0x1061c:$j: #=q 0x1064c:$j: #=q 0x10668:$j: #=q 0x10684:$j: #=q 0x106b4:$j: #=q 0x106d0:$j: #=q
00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf9a5:$a1: NanoCore.ClientPluginHost 0xf965:$a2: NanoCore.ClientPlugin 0x118be:$b1: get_BuilderSettings 0xf7c1:$b2: ClientLoaderForm.resources 0x10fde:$b3: PluginCommand 0xf996:$b4: IClientAppHost 0x19e16:$b5: GetBlockHash 0x11f16:$b6: AddHostEntry 0x15c09:$b7: LogClientException 0x11e83:$b8: PipeExists 0xf9cf:$b9: IClientLoggingHost
00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x110d5:$x1: NanoCore.ClientPluginHost 0x11112:$x2: IClientNetworkHost 0x14c45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10e3d:$a: NanoCore 0x10e4d:$a: NanoCore 0x11081:$a: NanoCore 0x11095:$a: NanoCore 0x110d5:$a: NanoCore 0x10e9c:$b: ClientPlugin 0x1109e:$b: ClientPlugin 0x110de:$b: ClientPlugin 0x10fc3:$c: ProjectData 0x119ca:$d: DESCrypto 0x19396:$e: KeepAlive 0x17384:$g: LogClientMessage 0x1357f:$i: get_Connected 0x11d00:$j: #=q 0x11d30:$j: #=q 0x11d4c:$j: #=q 0x11d7c:$j: #=q 0x11d98:$j: #=q 0x11db4:$j: #=q 0x11de4:$j: #=q 0x11e00:$j: #=q
00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x110d5:$a1: NanoCore.ClientPluginHost 0x11095:$a2: NanoCore.ClientPlugin 0x12fee:$b1: get_BuilderSettings 0x10ef1:$b2: ClientLoaderForm.resources 0x1270e:$b3: PluginCommand 0x110c6:$b4: IClientAppHost 0x1b546:$b5: GetBlockHash 0x13646:$b6: AddHostEntry 0x17339:$b7: LogClientException 0x135b3:$b8: PipeExists 0x110ff:$b9: IClientLoggingHost
00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x100d5:$x1: NanoCore.ClientPluginHost 0x42cdd:$x1: NanoCore.ClientPluginHost 0x10112:$x2: IClientNetworkHost 0x42d1a:$x2: IClientNetworkHost 0x13c45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4684d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfe3d:$a: NanoCore 0xfe4d:$a: NanoCore 0x10081:$a: NanoCore 0x10095:$a: NanoCore 0x100d5:$a: NanoCore 0x42a45:$a: NanoCore 0x42a55:$a: NanoCore 0x42c89:$a: NanoCore 0x42c9d:$a: NanoCore 0x42cdd:$a: NanoCore 0xfe9c:$b: ClientPlugin 0x1009e:$b: ClientPlugin 0x100de:$b: ClientPlugin 0x42aa4:$b: ClientPlugin 0x42ca6:$b: ClientPlugin 0x42ce6:$b: ClientPlugin 0xffc3:$c: ProjectData 0x42bcb:$c: ProjectData 0x109ca:$d: DESCrypto 0x435d2:$d: DESCrypto 0x18396:$e: KeepAlive
00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x100d5:$a1: NanoCore.ClientPluginHost 0x42cdd:$a1: NanoCore.ClientPluginHost 0x10095:$a2: NanoCore.ClientPlugin 0x42c9d:$a2: NanoCore.ClientPlugin 0x11fee:$b1: get_BuilderSettings 0x44bf6:$b1: get_BuilderSettings 0xfef1:$b2: ClientLoaderForm.resources 0x42af9:$b2: ClientLoaderForm.resources 0x1170e:$b3: PluginCommand 0x44316:$b3: PluginCommand 0x100c6:$b4: IClientAppHost 0x42cce:$b4: IClientAppHost 0x1a546:$b5: GetBlockHash 0x4d14e:$b5: GetBlockHash 0x12646:$b6: AddHostEntry 0x4524e:$b6: AddHostEntry 0x16339:$b7: LogClientException 0x48f41:$b7: LogClientException 0x125b3:$b8: PipeExists 0x451bb:$b8: PipeExists 0x100ff:$b9: IClientLoggingHost
00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf1d5:$x1: NanoCore.ClientPluginHost 0xf212:$x2: IClientNetworkHost 0x12d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xef3d:$a: NanoCore 0xef4d:$a: NanoCore 0xf181:$a: NanoCore 0xf195:$a: NanoCore 0xf1d5:$a: NanoCore 0xef9c:$b: ClientPlugin 0xf19e:$b: ClientPlugin 0xf1de:$b: ClientPlugin 0xf0c3:$c: ProjectData 0xfaca:$d: DESCrypto 0x17496:$e: KeepAlive 0x15484:$g: LogClientMessage 0x1167f:$i: get_Connected 0xfe00:$j: #=q 0xfe30:$j: #=q 0xfe4c:$j: #=q 0xfe7c:$j: #=q 0xfe98:$j: #=q 0xfeb4:$j: #=q 0xfee4:$j: #=q 0xff00:$j: #=q
00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf1d5:$a1: NanoCore.ClientPluginHost 0xf195:$a2: NanoCore.ClientPlugin 0x110ee:$b1: get_BuilderSettings 0xeff1:$b2: ClientLoaderForm.resources 0x1080e:$b3: PluginCommand 0xf1c6:$b4: IClientAppHost 0x19646:$b5: GetBlockHash 0x11746:$b6: AddHostEntry 0x15439:$b7: LogClientException 0x116b3:$b8: PipeExists 0xf1ff:$b9: IClientLoggingHost
00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf9a5:$x1: NanoCore.ClientPluginHost 0xf9e2:$x2: IClientNetworkHost 0x13515:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf70d:$a: NanoCore 0xf71d:$a: NanoCore 0xf951:$a: NanoCore 0xf965:$a: NanoCore 0xf9a5:$a: NanoCore 0xf76c:$b: ClientPlugin 0xf96e:$b: ClientPlugin 0xf9ae:$b: ClientPlugin 0xf893:$c: ProjectData 0x1029a:$d: DESCrypto 0x17c66:$e: KeepAlive 0x15c54:$g: LogClientMessage 0x11e4f:$i: get_Connected 0x105d0:$j: #=q 0x10600:$j: #=q 0x1061c:$j: #=q 0x1064c:$j: #=q 0x10668:$j: #=q 0x10684:$j: #=q 0x106b4:$j: #=q 0x106d0:$j: #=q
00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf9a5:$a1: NanoCore.ClientPluginHost 0xf965:$a2: NanoCore.ClientPlugin 0x118be:$b1: get_BuilderSettings 0xf7c1:$b2: ClientLoaderForm.resources 0x10fde:$b3: PluginCommand 0xf996:$b4: IClientAppHost 0x19e16:$b5: GetBlockHash 0x11f16:$b6: AddHostEntry 0x15c09:$b7: LogClientException 0x11e83:$b8: PipeExists 0xf9cf:$b9: IClientLoggingHost
00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf1d5:$x1: NanoCore.ClientPluginHost 0xf212:$x2: IClientNetworkHost 0x12d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xef3d:$a: NanoCore 0xef4d:$a: NanoCore 0xf181:$a: NanoCore 0xf195:$a: NanoCore 0xf1d5:$a: NanoCore 0xef9c:$b: ClientPlugin 0xf19e:$b: ClientPlugin 0xf1de:$b: ClientPlugin 0xf0c3:$c: ProjectData 0xfaca:$d: DESCrypto 0x17496:$e: KeepAlive 0x15484:$g: LogClientMessage 0x1167f:$i: get_Connected 0xfe00:$j: #=q 0xfe30:$j: #=q 0xfe4c:$j: #=q 0xfe7c:$j: #=q 0xfe98:$j: #=q 0xfeb4:$j: #=q 0xfee4:$j: #=q 0xff00:$j: #=q
00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf1d5:$a1: NanoCore.ClientPluginHost 0xf195:$a2: NanoCore.ClientPlugin 0x110ee:$b1: get_BuilderSettings 0xeff1:$b2: ClientLoaderForm.resources 0x1080e:$b3: PluginCommand 0xf1c6:$b4: IClientAppHost 0x19646:$b5: GetBlockHash 0x11746:$b6: AddHostEntry 0x15439:$b7: LogClientException 0x116b3:$b8: PipeExists 0xf1ff:$b9: IClientLoggingHost
00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf39d:$x1: NanoCore.ClientPluginHost 0xf3da:$x2: IClientNetworkHost 0x12f0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf105:$a: NanoCore 0xf115:$a: NanoCore 0xf349:$a: NanoCore 0xf35d:$a: NanoCore 0xf39d:$a: NanoCore 0xf164:$b: ClientPlugin 0xf366:$b: ClientPlugin 0xf3a6:$b: ClientPlugin 0xf28b:$c: ProjectData 0xfc92:$d: DESCrypto 0x1765e:$e: KeepAlive 0x1564c:$g: LogClientMessage 0x11847:$i: get_Connected 0xffc8:$j: #=q 0xfff8:$j: #=q 0x10014:$j: #=q 0x10044:$j: #=q 0x10060:$j: #=q 0x1007c:$j: #=q 0x100ac:$j: #=q 0x100c8:$j: #=q
00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf39d:$a1: NanoCore.ClientPluginHost 0xf35d:$a2: NanoCore.ClientPlugin 0x112b6:$b1: get_BuilderSettings 0xf1b9:$b2: ClientLoaderForm.resources 0x109d6:$b3: PluginCommand 0xf38e:$b4: IClientAppHost 0x1980e:$b5: GetBlockHash 0x1190e:$b6: AddHostEntry 0x15601:$b7: LogClientException 0x1187b:$b8: PipeExists 0xf3c7:$b9: IClientLoggingHost
00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23a53:$a: NanoCore 0x23aac:$a: NanoCore 0x23ae9:$a: NanoCore 0x23b62:$a: NanoCore 0x23ab5:$b: ClientPlugin 0x23af2:$b: ClientPlugin 0x243f0:$b: ClientPlugin 0x243fd:$b: ClientPlugin 0x1b7c9:$e: KeepAlive 0x23f3d:$g: LogClientMessage 0x23ebd:$i: get_Connected 0x15a85:$j: #=q 0x15ab5:$j: #=q 0x15af1:$j: #=q 0x15b19:$j: #=q 0x15b49:$j: #=q 0x15b79:$j: #=q 0x15ba9:$j: #=q 0x15bd9:$j: #=q 0x15bf5:$j: #=q 0x15c25:$j: #=q
00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x23ae9:$a1: NanoCore.ClientPluginHost 0x23aac:$a2: NanoCore.ClientPlugin 0x16fbf:$b1: get_BuilderSettings 0x23e80:$b1: get_BuilderSettings 0x23b37:$b4: IClientAppHost 0x23ef1:$b6: AddHostEntry 0x16f2e:$b7: LogClientException 0x23f60:$b7: LogClientException 0x23ed5:$b8: PipeExists 0x23b24:$b9: IClientLoggingHost
00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x100cd:$x1: NanoCore.ClientPluginHost 0x1010a:$x2: IClientNetworkHost 0x13c3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfe35:$a: NanoCore 0xfe45:$a: NanoCore 0x10079:$a: NanoCore 0x1008d:$a: NanoCore 0x100cd:$a: NanoCore 0xfe94:$b: ClientPlugin 0x10096:$b: ClientPlugin 0x100d6:$b: ClientPlugin 0xffbb:$c: ProjectData 0x109c2:$d: DESCrypto 0x1838e:$e: KeepAlive 0x1637c:$g: LogClientMessage 0x12577:$i: get_Connected 0x10cf8:$j: #=q 0x10d28:$j: #=q 0x10d44:$j: #=q 0x10d74:$j: #=q 0x10d90:$j: #=q 0x10dac:$j: #=q 0x10ddc:$j: #=q 0x10df8:$j: #=q
00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x100cd:$a1: NanoCore.ClientPluginHost 0x1008d:$a2: NanoCore.ClientPlugin 0x11fe6:$b1: get_BuilderSettings 0xfee9:$b2: ClientLoaderForm.resources 0x11706:$b3: PluginCommand 0x100be:$b4: IClientAppHost 0x1a53e:$b5: GetBlockHash 0x1263e:$b6: AddHostEntry 0x16331:$b7: LogClientException 0x125ab:$b8: PipeExists 0x100f7:$b9: IClientLoggingHost
00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x35a4d:$x1: NanoCore.ClientPluginHost 0x35a8a:$x2: IClientNetworkHost 0x395bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x357b5:$a: NanoCore 0x357c5:$a: NanoCore 0x359f9:$a: NanoCore 0x35a0d:$a: NanoCore 0x35a4d:$a: NanoCore 0x35814:$b: ClientPlugin 0x35a16:$b: ClientPlugin 0x35a56:$b: ClientPlugin 0x3593b:$c: ProjectData 0x36342:$d: DESCrypto 0x3dd0e:$e: KeepAlive 0x3bcfc:$g: LogClientMessage 0x37ef7:$i: get_Connected 0x36678:$j: #=q 0x366a8:$j: #=q 0x366c4:$j: #=q 0x366f4:$j: #=q 0x36710:$j: #=q 0x3672c:$j: #=q 0x3675c:$j: #=q 0x36778:$j: #=q
00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x35a4d:$a1: NanoCore.ClientPluginHost 0x35a0d:$a2: NanoCore.ClientPlugin 0x37966:$b1: get_BuilderSettings 0x35869:$b2: ClientLoaderForm.resources 0x37086:$b3: PluginCommand 0x35a3e:$b4: IClientAppHost 0x3febe:$b5: GetBlockHash 0x37fbe:$b6: AddHostEntry 0x3bcb1:$b7: LogClientException 0x37f2b:$b8: PipeExists 0x35a77:$b9: IClientLoggingHost
00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10195:$x1: NanoCore.ClientPluginHost 0x101d2:$x2: IClientNetworkHost 0x13d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfefd:$a: NanoCore 0xff0d:$a: NanoCore 0x10141:$a: NanoCore 0x10155:$a: NanoCore 0x10195:$a: NanoCore 0xff5c:$b: ClientPlugin 0x1015e:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x10083:$c: ProjectData 0x10a8a:$d: DESCrypto 0x18456:$e: KeepAlive 0x16444:$g: LogClientMessage 0x1263f:$i: get_Connected 0x10dc0:$j: #=q 0x10df0:$j: #=q 0x10e0c:$j: #=q 0x10e3c:$j: #=q 0x10e58:$j: #=q 0x10e74:$j: #=q 0x10ea4:$j: #=q 0x10ec0:$j: #=q
00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10195:$a1: NanoCore.ClientPluginHost 0x10155:$a2: NanoCore.ClientPlugin 0x120ae:$b1: get_BuilderSettings 0xffb1:$b2: ClientLoaderForm.resources 0x117ce:$b3: PluginCommand 0x10186:$b4: IClientAppHost 0x1a606:$b5: GetBlockHash 0x12706:$b6: AddHostEntry 0x163f9:$b7: LogClientException 0x12673:$b8: PipeExists 0x101bf:$b9: IClientLoggingHost
00000001.00000002.630789913.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1156d:$a1: NanoCore.ClientPluginHost 0x11530:$a2: NanoCore.ClientPlugin 0x11904:$b1: get_BuilderSettings 0x115bb:$b4: IClientAppHost 0x11975:$b6: AddHostEntry 0x119e4:$b7: LogClientException 0x11959:$b8: PipeExists 0x115a8:$b9: IClientLoggingHost
00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1039d:$x1: NanoCore.ClientPluginHost 0x103da:$x2: IClientNetworkHost 0x13f0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10105:$a: NanoCore 0x10115:$a: NanoCore 0x10349:$a: NanoCore 0x1035d:$a: NanoCore 0x1039d:$a: NanoCore 0x10164:$b: ClientPlugin 0x10366:$b: ClientPlugin 0x103a6:$b: ClientPlugin 0x1028b:$c: ProjectData 0x10c92:$d: DESCrypto 0x1865e:$e: KeepAlive 0x1664c:$g: LogClientMessage 0x12847:$i: get_Connected 0x10fc8:$j: #=q 0x10ff8:$j: #=q 0x11014:$j: #=q 0x11044:$j: #=q 0x11060:$j: #=q 0x1107c:$j: #=q 0x110ac:$j: #=q 0x110c8:$j: #=q
00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1039d:$a1: NanoCore.ClientPluginHost 0x1035d:$a2: NanoCore.ClientPlugin 0x122b6:$b1: get_BuilderSettings 0x101b9:$b2: ClientLoaderForm.resources 0x119d6:$b3: PluginCommand 0x1038e:$b4: IClientAppHost 0x1a80e:$b5: GetBlockHash 0x1290e:$b6: AddHostEntry 0x16601:$b7: LogClientException 0x1287b:$b8: PipeExists 0x103c7:$b9: IClientLoggingHost
00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf985:$x1: NanoCore.ClientPluginHost 0xf9c2:$x2: IClientNetworkHost 0x134f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf6ed:$a: NanoCore 0xf6fd:$a: NanoCore 0xf931:$a: NanoCore 0xf945:$a: NanoCore 0xf985:$a: NanoCore 0xf74c:$b: ClientPlugin 0xf94e:$b: ClientPlugin 0xf98e:$b: ClientPlugin 0xf873:$c: ProjectData 0x1027a:$d: DESCrypto 0x17c46:$e: KeepAlive 0x15c34:$g: LogClientMessage 0x11e2f:$i: get_Connected 0x105b0:$j: #=q 0x105e0:$j: #=q 0x105fc:$j: #=q 0x1062c:$j: #=q 0x10648:$j: #=q 0x10664:$j: #=q 0x10694:$j: #=q 0x106b0:$j: #=q
00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf985:$a1: NanoCore.ClientPluginHost 0xf945:$a2: NanoCore.ClientPlugin 0x1189e:$b1: get_BuilderSettings 0xf7a1:$b2: ClientLoaderForm.resources 0x10fbe:$b3: PluginCommand 0xf976:$b4: IClientAppHost 0x19df6:$b5: GetBlockHash 0x11ef6:$b6: AddHostEntry 0x15be9:$b7: LogClientException 0x11e63:$b8: PipeExists 0xf9af:$b9: IClientLoggingHost
00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf195:$x1: NanoCore.ClientPluginHost 0x41d9d:$x1: NanoCore.ClientPluginHost 0xf1d2:$x2: IClientNetworkHost 0x41dda:$x2: IClientNetworkHost 0x12d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4590d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xeefd:$a: NanoCore 0xef0d:$a: NanoCore 0xf141:$a: NanoCore 0xf155:$a: NanoCore 0xf195:$a: NanoCore 0x41b05:$a: NanoCore 0x41b15:$a: NanoCore 0x41d49:$a: NanoCore 0x41d5d:$a: NanoCore 0x41d9d:$a: NanoCore 0xef5c:$b: ClientPlugin 0xf15e:$b: ClientPlugin 0xf19e:$b: ClientPlugin 0x41b64:$b: ClientPlugin 0x41d66:$b: ClientPlugin 0x41da6:$b: ClientPlugin 0xf083:$c: ProjectData 0x41c8b:$c: ProjectData 0xfa8a:$d: DESCrypto 0x42692:$d: DESCrypto 0x17456:$e: KeepAlive
00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf195:$a1: NanoCore.ClientPluginHost 0x41d9d:$a1: NanoCore.ClientPluginHost 0xf155:$a2: NanoCore.ClientPlugin 0x41d5d:$a2: NanoCore.ClientPlugin 0x110ae:$b1: get_BuilderSettings 0x43cb6:$b1: get_BuilderSettings 0xefb1:$b2: ClientLoaderForm.resources 0x41bb9:$b2: ClientLoaderForm.resources 0x107ce:$b3: PluginCommand 0x433d6:$b3: PluginCommand 0xf186:$b4: IClientAppHost 0x41d8e:$b4: IClientAppHost 0x19606:$b5: GetBlockHash 0x4c20e:$b5: GetBlockHash 0x11706:$b6: AddHostEntry 0x4430e:$b6: AddHostEntry 0x153f9:$b7: LogClientException 0x48001:$b7: LogClientException 0x11673:$b8: PipeExists 0x4427b:$b8: PipeExists 0xf1bf:$b9: IClientLoggingHost
00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xfd7d:$x1: NanoCore.ClientPluginHost 0x42985:$x1: NanoCore.ClientPluginHost 0xfdba:$x2: IClientNetworkHost 0x429c2:$x2: IClientNetworkHost 0x138ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x464f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfae5:$a: NanoCore 0xfaf5:$a: NanoCore 0xfd29:$a: NanoCore 0xfd3d:$a: NanoCore 0xfd7d:$a: NanoCore 0x426ed:$a: NanoCore 0x426fd:$a: NanoCore 0x42931:$a: NanoCore 0x42945:$a: NanoCore 0x42985:$a: NanoCore 0xfb44:$b: ClientPlugin 0xfd46:$b: ClientPlugin 0xfd86:$b: ClientPlugin 0x4274c:$b: ClientPlugin 0x4294e:$b: ClientPlugin 0x4298e:$b: ClientPlugin 0xfc6b:$c: ProjectData 0x42873:$c: ProjectData 0x10672:$d: DESCrypto 0x4327a:$d: DESCrypto 0x1803e:$e: KeepAlive
00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfd7d:$a1: NanoCore.ClientPluginHost 0x42985:$a1: NanoCore.ClientPluginHost 0xfd3d:$a2: NanoCore.ClientPlugin 0x42945:$a2: NanoCore.ClientPlugin 0x11c96:$b1: get_BuilderSettings 0x4489e:$b1: get_BuilderSettings 0xfb99:$b2: ClientLoaderForm.resources 0x427a1:$b2: ClientLoaderForm.resources 0x113b6:$b3: PluginCommand 0x43fbe:$b3: PluginCommand 0xfd6e:$b4: IClientAppHost 0x42976:$b4: IClientAppHost 0x1a1ee:$b5: GetBlockHash 0x4cdf6:$b5: GetBlockHash 0x122ee:$b6: AddHostEntry 0x44ef6:$b6: AddHostEntry 0x15fe1:$b7: LogClientException 0x48be9:$b7: LogClientException 0x1225b:$b8: PipeExists 0x44e63:$b8: PipeExists 0xfda7:$b9: IClientLoggingHost
00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x770d5:$x1: NanoCore.ClientPluginHost 0x77112:$x2: IClientNetworkHost 0x7ac45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x76e3d:$a: NanoCore 0x76e4d:$a: NanoCore 0x77081:$a: NanoCore 0x77095:$a: NanoCore 0x770d5:$a: NanoCore 0x76e9c:$b: ClientPlugin 0x7709e:$b: ClientPlugin 0x770de:$b: ClientPlugin 0x76fc3:$c: ProjectData 0x779ca:$d: DESCrypto 0x7f396:$e: KeepAlive 0x7d384:$g: LogClientMessage 0x7957f:$i: get_Connected 0x77d00:$j: #=q 0x77d30:$j: #=q 0x77d4c:$j: #=q 0x77d7c:$j: #=q 0x77d98:$j: #=q 0x77db4:$j: #=q 0x77de4:$j: #=q 0x77e00:$j: #=q
00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x770d5:$a1: NanoCore.ClientPluginHost 0x77095:$a2: NanoCore.ClientPlugin 0x78fee:$b1: get_BuilderSettings 0x76ef1:$b2: ClientLoaderForm.resources 0x7870e:$b3: PluginCommand 0x770c6:$b4: IClientAppHost 0x81546:$b5: GetBlockHash 0x79646:$b6: AddHostEntry 0x7d339:$b7: LogClientException 0x795b3:$b8: PipeExists 0x770ff:$b9: IClientLoggingHost
00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xfd7d:$x1: NanoCore.ClientPluginHost 0xfdba:$x2: IClientNetworkHost 0x138ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfae5:$a: NanoCore 0xfaf5:$a: NanoCore 0xfd29:$a: NanoCore 0xfd3d:$a: NanoCore 0xfd7d:$a: NanoCore 0xfb44:$b: ClientPlugin 0xfd46:$b: ClientPlugin 0xfd86:$b: ClientPlugin 0xfc6b:$c: ProjectData 0x10672:$d: DESCrypto 0x1803e:$e: KeepAlive 0x1602c:$g: LogClientMessage 0x12227:$i: get_Connected 0x109a8:$j: #=q 0x109d8:$j: #=q 0x109f4:$j: #=q 0x10a24:$j: #=q 0x10a40:$j: #=q 0x10a5c:$j: #=q 0x10a8c:$j: #=q 0x10aa8:$j: #=q
00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfd7d:$a1: NanoCore.ClientPluginHost 0xfd3d:$a2: NanoCore.ClientPlugin 0x11c96:$b1: get_BuilderSettings 0xfb99:$b2: ClientLoaderForm.resources 0x113b6:$b3: PluginCommand 0xfd6e:$b4: IClientAppHost 0x1a1ee:$b5: GetBlockHash 0x122ee:$b6: AddHostEntry 0x15fe1:$b7: LogClientException 0x1225b:$b8: PipeExists 0xfda7:$b9: IClientLoggingHost
00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x110cd:$x1: NanoCore.ClientPluginHost 0x1110a:$x2: IClientNetworkHost 0x14c3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10e35:$a: NanoCore 0x10e45:$a: NanoCore 0x11079:$a: NanoCore 0x1108d:$a: NanoCore 0x110cd:$a: NanoCore 0x10e94:$b: ClientPlugin 0x11096:$b: ClientPlugin 0x110d6:$b: ClientPlugin 0x10fbb:$c: ProjectData 0x119c2:$d: DESCrypto 0x1938e:$e: KeepAlive 0x1737c:$g: LogClientMessage 0x13577:$i: get_Connected 0x11cf8:$j: #=q 0x11d28:$j: #=q 0x11d44:$j: #=q 0x11d74:$j: #=q 0x11d90:$j: #=q 0x11dac:$j: #=q 0x11ddc:$j: #=q 0x11df8:$j: #=q
00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x110cd:$a1: NanoCore.ClientPluginHost 0x1108d:$a2: NanoCore.ClientPlugin 0x12fe6:$b1: get_BuilderSettings 0x10ee9:$b2: ClientLoaderForm.resources 0x12706:$b3: PluginCommand 0x110be:$b4: IClientAppHost 0x1b53e:$b5: GetBlockHash 0x1363e:$b6: AddHostEntry 0x17331:$b7: LogClientException 0x135ab:$b8: PipeExists 0x110f7:$b9: IClientLoggingHost
00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xfa4d:$x1: NanoCore.ClientPluginHost 0xfa8a:$x2: IClientNetworkHost 0x135bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf7b5:$a: NanoCore 0xf7c5:$a: NanoCore 0xf9f9:$a: NanoCore 0xfa0d:$a: NanoCore 0xfa4d:$a: NanoCore 0xf814:$b: ClientPlugin 0xfa16:$b: ClientPlugin 0xfa56:$b: ClientPlugin 0xf93b:$c: ProjectData 0x10342:$d: DESCrypto 0x17d0e:$e: KeepAlive 0x15cfc:$g: LogClientMessage 0x11ef7:$i: get_Connected 0x10678:$j: #=q 0x106a8:$j: #=q 0x106c4:$j: #=q 0x106f4:$j: #=q 0x10710:$j: #=q 0x1072c:$j: #=q 0x1075c:$j: #=q 0x10778:$j: #=q
00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfa4d:$a1: NanoCore.ClientPluginHost 0xfa0d:$a2: NanoCore.ClientPlugin 0x11966:$b1: get_BuilderSettings 0xf869:$b2: ClientLoaderForm.resources 0x11086:$b3: PluginCommand 0xfa3e:$b4: IClientAppHost 0x19ebe:$b5: GetBlockHash 0x11fbe:$b6: AddHostEntry 0x15cb1:$b7: LogClientException 0x11f2b:$b8: PipeExists 0xfa77:$b9: IClientLoggingHost
00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x35a4d:$x1: NanoCore.ClientPluginHost 0x35a8a:$x2: IClientNetworkHost 0x395bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x357b5:$a: NanoCore 0x357c5:$a: NanoCore 0x359f9:$a: NanoCore 0x35a0d:$a: NanoCore 0x35a4d:$a: NanoCore 0x35814:$b: ClientPlugin 0x35a16:$b: ClientPlugin 0x35a56:$b: ClientPlugin 0x3593b:$c: ProjectData 0x36342:$d: DESCrypto 0x3dd0e:$e: KeepAlive 0x3bcfc:$g: LogClientMessage 0x37ef7:$i: get_Connected 0x36678:$j: #=q 0x366a8:$j: #=q 0x366c4:$j: #=q 0x366f4:$j: #=q 0x36710:$j: #=q 0x3672c:$j: #=q 0x3675c:$j: #=q 0x36778:$j: #=q
00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x35a4d:$a1: NanoCore.ClientPluginHost 0x35a0d:$a2: NanoCore.ClientPlugin 0x37966:$b1: get_BuilderSettings 0x35869:$b2: ClientLoaderForm.resources 0x37086:$b3: PluginCommand 0x35a3e:$b4: IClientAppHost 0x3febe:$b5: GetBlockHash 0x37fbe:$b6: AddHostEntry 0x3bcb1:$b7: LogClientException 0x37f2b:$b8: PipeExists 0x35a77:$b9: IClientLoggingHost
00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10175:$x1: NanoCore.ClientPluginHost 0x101b2:$x2: IClientNetworkHost 0x13ce5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfedd:$a: NanoCore 0xfeed:$a: NanoCore 0x10121:$a: NanoCore 0x10135:$a: NanoCore 0x10175:$a: NanoCore 0xff3c:$b: ClientPlugin 0x1013e:$b: ClientPlugin 0x1017e:$b: ClientPlugin 0x10063:$c: ProjectData 0x10a6a:$d: DESCrypto 0x18436:$e: KeepAlive 0x16424:$g: LogClientMessage 0x1261f:$i: get_Connected 0x10da0:$j: #=q 0x10dd0:$j: #=q 0x10dec:$j: #=q 0x10e1c:$j: #=q 0x10e38:$j: #=q 0x10e54:$j: #=q 0x10e84:$j: #=q 0x10ea0:$j: #=q
00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10175:$a1: NanoCore.ClientPluginHost 0x10135:$a2: NanoCore.ClientPlugin 0x1208e:$b1: get_BuilderSettings 0xff91:$b2: ClientLoaderForm.resources 0x117ae:$b3: PluginCommand 0x10166:$b4: IClientAppHost 0x1a5e6:$b5: GetBlockHash 0x126e6:$b6: AddHostEntry 0x163d9:$b7: LogClientException 0x12653:$b8: PipeExists 0x1019f:$b9: IClientLoggingHost
00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xfa4d:$x1: NanoCore.ClientPluginHost 0xfa8a:$x2: IClientNetworkHost 0x135bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf7b5:$a: NanoCore 0xf7c5:$a: NanoCore 0xf9f9:$a: NanoCore 0xfa0d:$a: NanoCore 0xfa4d:$a: NanoCore 0xf814:$b: ClientPlugin 0xfa16:$b: ClientPlugin 0xfa56:$b: ClientPlugin 0xf93b:$c: ProjectData 0x10342:$d: DESCrypto 0x17d0e:$e: KeepAlive 0x15cfc:$g: LogClientMessage 0x11ef7:$i: get_Connected 0x10678:$j: #=q 0x106a8:$j: #=q 0x106c4:$j: #=q 0x106f4:$j: #=q 0x10710:$j: #=q 0x1072c:$j: #=q 0x1075c:$j: #=q 0x10778:$j: #=q
00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfa4d:$a1: NanoCore.ClientPluginHost 0xfa0d:$a2: NanoCore.ClientPlugin 0x11966:$b1: get_BuilderSettings 0xf869:$b2: ClientLoaderForm.resources 0x11086:$b3: PluginCommand 0xfa3e:$b4: IClientAppHost 0x19ebe:$b5: GetBlockHash 0x11fbe:$b6: AddHostEntry 0x15cb1:$b7: LogClientException 0x11f2b:$b8: PipeExists 0xfa77:$b9: IClientLoggingHost
00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x35a4d:$x1: NanoCore.ClientPluginHost 0x35a8a:$x2: IClientNetworkHost 0x395bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x357b5:$a: NanoCore 0x357c5:$a: NanoCore 0x359f9:$a: NanoCore 0x35a0d:$a: NanoCore 0x35a4d:$a: NanoCore 0x35814:$b: ClientPlugin 0x35a16:$b: ClientPlugin 0x35a56:$b: ClientPlugin 0x3593b:$c: ProjectData 0x36342:$d: DESCrypto 0x3dd0e:$e: KeepAlive 0x3bcfc:$g: LogClientMessage 0x37ef7:$i: get_Connected 0x36678:$j: #=q 0x366a8:$j: #=q 0x366c4:$j: #=q 0x366f4:$j: #=q 0x36710:$j: #=q 0x3672c:$j: #=q 0x3675c:$j: #=q 0x36778:$j: #=q
00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x35a4d:$a1: NanoCore.ClientPluginHost 0x35a0d:$a2: NanoCore.ClientPlugin 0x37966:$b1: get_BuilderSettings 0x35869:$b2: ClientLoaderForm.resources 0x37086:$b3: PluginCommand 0x35a3e:$b4: IClientAppHost 0x3febe:$b5: GetBlockHash 0x37fbe:$b6: AddHostEntry 0x3bcb1:$b7: LogClientException 0x37f2b:$b8: PipeExists 0x35a77:$b9: IClientLoggingHost
00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xfcdd:$x1: NanoCore.ClientPluginHost 0xfd1a:$x2: IClientNetworkHost 0x1384d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfa45:$a: NanoCore 0xfa55:$a: NanoCore 0xfc89:$a: NanoCore 0xfc9d:$a: NanoCore 0xfcdd:$a: NanoCore 0xfaa4:$b: ClientPlugin 0xfca6:$b: ClientPlugin 0xfce6:$b: ClientPlugin 0xfbcb:$c: ProjectData 0x105d2:$d: DESCrypto 0x17f9e:$e: KeepAlive 0x15f8c:$g: LogClientMessage 0x12187:$i: get_Connected 0x10908:$j: #=q 0x10938:$j: #=q 0x10954:$j: #=q 0x10984:$j: #=q 0x109a0:$j: #=q 0x109bc:$j: #=q 0x109ec:$j: #=q 0x10a08:$j: #=q
00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfcdd:$a1: NanoCore.ClientPluginHost 0xfc9d:$a2: NanoCore.ClientPlugin 0x11bf6:$b1: get_BuilderSettings 0xfaf9:$b2: ClientLoaderForm.resources 0x11316:$b3: PluginCommand 0xfcce:$b4: IClientAppHost 0x1a14e:$b5: GetBlockHash 0x1224e:$b6: AddHostEntry 0x15f41:$b7: LogClientException 0x121bb:$b8: PipeExists 0xfd07:$b9: IClientLoggingHost
00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x760cd:$x1: NanoCore.ClientPluginHost 0x7610a:$x2: IClientNetworkHost 0x79c3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x75e35:$a: NanoCore 0x75e45:$a: NanoCore 0x76079:$a: NanoCore 0x7608d:$a: NanoCore 0x760cd:$a: NanoCore 0x75e94:$b: ClientPlugin 0x76096:$b: ClientPlugin 0x760d6:$b: ClientPlugin 0x75fbb:$c: ProjectData 0x769c2:$d: DESCrypto 0x7e38e:$e: KeepAlive 0x7c37c:$g: LogClientMessage 0x78577:$i: get_Connected 0x76cf8:$j: #=q 0x76d28:$j: #=q 0x76d44:$j: #=q 0x76d74:$j: #=q 0x76d90:$j: #=q 0x76dac:$j: #=q 0x76ddc:$j: #=q 0x76df8:$j: #=q
00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x760cd:$a1: NanoCore.ClientPluginHost 0x7608d:$a2: NanoCore.ClientPlugin 0x77fe6:$b1: get_BuilderSettings 0x75ee9:$b2: ClientLoaderForm.resources 0x77706:$b3: PluginCommand 0x760be:$b4: IClientAppHost 0x8053e:$b5: GetBlockHash 0x7863e:$b6: AddHostEntry 0x7c331:$b7: LogClientException 0x785ab:$b8: PipeExists 0x760f7:$b9: IClientLoggingHost
00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf58d:$x1: NanoCore.ClientPluginHost 0x42195:$x1: NanoCore.ClientPluginHost 0xf5ca:$x2: IClientNetworkHost 0x421d2:$x2: IClientNetworkHost 0x130fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf2f5:$a: NanoCore 0xf305:$a: NanoCore 0xf539:$a: NanoCore 0xf54d:$a: NanoCore 0xf58d:$a: NanoCore 0x41efd:$a: NanoCore 0x41f0d:$a: NanoCore 0x42141:$a: NanoCore 0x42155:$a: NanoCore 0x42195:$a: NanoCore 0xf354:$b: ClientPlugin 0xf556:$b: ClientPlugin 0xf596:$b: ClientPlugin 0x41f5c:$b: ClientPlugin 0x4215e:$b: ClientPlugin 0x4219e:$b: ClientPlugin 0xf47b:$c: ProjectData 0x42083:$c: ProjectData 0xfe82:$d: DESCrypto 0x42a8a:$d: DESCrypto 0x1784e:$e: KeepAlive
00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf58d:$a1: NanoCore.ClientPluginHost 0x42195:$a1: NanoCore.ClientPluginHost 0xf54d:$a2: NanoCore.ClientPlugin 0x42155:$a2: NanoCore.ClientPlugin 0x114a6:$b1: get_BuilderSettings 0x440ae:$b1: get_BuilderSettings 0xf3a9:$b2: ClientLoaderForm.resources 0x41fb1:$b2: ClientLoaderForm.resources 0x10bc6:$b3: PluginCommand 0x437ce:$b3: PluginCommand 0xf57e:$b4: IClientAppHost 0x42186:$b4: IClientAppHost 0x199fe:$b5: GetBlockHash 0x4c606:$b5: GetBlockHash 0x11afe:$b6: AddHostEntry 0x44706:$b6: AddHostEntry 0x157f1:$b7: LogClientException 0x483f9:$b7: LogClientException 0x11a6b:$b8: PipeExists 0x44673:$b8: PipeExists 0xf5b7:$b9: IClientLoggingHost
00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a6d:$a: NanoCore 0x49ac6:$a: NanoCore 0x49b03:$a: NanoCore 0x49b7c:$a: NanoCore 0x5d227:$a: NanoCore 0x5d23c:$a: NanoCore 0x5d271:$a: NanoCore 0x76213:$a: NanoCore 0x76228:$a: NanoCore 0x7625d:$a: NanoCore 0x49acf:$b: ClientPlugin 0x49b0c:$b: ClientPlugin 0x4a40a:$b: ClientPlugin 0x4a417:$b: ClientPlugin 0x5cfe3:$b: ClientPlugin 0x5cffe:$b: ClientPlugin 0x5d02e:$b: ClientPlugin 0x5d245:$b: ClientPlugin 0x5d27a:$b: ClientPlugin 0x75fcf:$b: ClientPlugin 0x75fea:$b: ClientPlugin
00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x49b03:$a1: NanoCore.ClientPluginHost 0x5d271:$a1: NanoCore.ClientPluginHost 0x7625d:$a1: NanoCore.ClientPluginHost 0x49ac6:$a2: NanoCore.ClientPlugin 0x5d23c:$a2: NanoCore.ClientPlugin 0x76228:$a2: NanoCore.ClientPlugin 0x49e9a:$b1: get_BuilderSettings 0x621b7:$b1: get_BuilderSettings 0x7b1a3:$b1: get_BuilderSettings 0x49b51:$b4: IClientAppHost 0x49f0b:$b6: AddHostEntry 0x49f7a:$b7: LogClientException 0x62126:$b7: LogClientException 0x7b112:$b7: LogClientException 0x49eef:$b8: PipeExists 0x49b3e:$b9: IClientLoggingHost 0x5d28b:$b9: IClientLoggingHost 0x76277:$b9: IClientLoggingHost
Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1e1d04:$x1: NanoCore.ClientPluginHost 0x22bbca:$x1: NanoCore.ClientPluginHost 0x26d86f:$x1: NanoCore.ClientPluginHost 0x3627d9:$x1: NanoCore.ClientPluginHost 0x47361d:$x1: NanoCore.ClientPluginHost 0x48af94:$x1: NanoCore.ClientPluginHost 0x4b0bd3:$x1: NanoCore.ClientPluginHost 0x4caba2:$x1: NanoCore.ClientPluginHost 0x7ccc3c:$x1: NanoCore.ClientPluginHost 0x7e679e:$x1: NanoCore.ClientPluginHost 0x8bb08a:$x1: NanoCore.ClientPluginHost 0x9569ed:$x1: NanoCore.ClientPluginHost 0xc5ac3f:$x1: NanoCore.ClientPluginHost 0xc72baf:$x1: NanoCore.ClientPluginHost 0x1e1d41:$x2: IClientNetworkHost 0x22bc07:$x2: IClientNetworkHost 0x26d8ac:$x2: IClientNetworkHost 0x362816:$x2: IClientNetworkHost 0x47365a:$x2: IClientNetworkHost 0x48afd1:$x2: IClientNetworkHost 0x4b0c10:$x2: IClientNetworkHost
Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1e19d1:$a: NanoCore 0x1e19e1:$a: NanoCore 0x1e1aa0:$a: NanoCore 0x1e1aaf:$a: NanoCore 0x1e1cb0:$a: NanoCore 0x1e1cc4:$a: NanoCore 0x1e1d04:$a: NanoCore 0x1ecf22:$a: NanoCore 0x1ecf34:$a: NanoCore 0x1ecf70:$a: NanoCore 0x22b897:$a: NanoCore 0x22b8a7:$a: NanoCore 0x22b966:$a: NanoCore 0x22b975:$a: NanoCore 0x22bb76:$a: NanoCore 0x22bb8a:$a: NanoCore 0x22bbca:$a: NanoCore 0x236de8:$a: NanoCore 0x236dfa:$a: NanoCore 0x236e36:$a: NanoCore 0x26d53c:$a: NanoCore
Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1e1d04:$a1: NanoCore.ClientPluginHost 0x22bbca:$a1: NanoCore.ClientPluginHost 0x26d86f:$a1: NanoCore.ClientPluginHost 0x3627d9:$a1: NanoCore.ClientPluginHost 0x47361d:$a1: NanoCore.ClientPluginHost 0x48af94:$a1: NanoCore.ClientPluginHost 0x4b0bd3:$a1: NanoCore.ClientPluginHost 0x4caba2:$a1: NanoCore.ClientPluginHost 0x7ccc3c:$a1: NanoCore.ClientPluginHost 0x7e679e:$a1: NanoCore.ClientPluginHost 0x8bb08a:$a1: NanoCore.ClientPluginHost 0x9569ed:$a1: NanoCore.ClientPluginHost 0xc5ac3f:$a1: NanoCore.ClientPluginHost 0xc72baf:$a1: NanoCore.ClientPluginHost 0x1e1cc4:$a2: NanoCore.ClientPlugin 0x22bb8a:$a2: NanoCore.ClientPlugin 0x26d82f:$a2: NanoCore.ClientPlugin 0x362799:$a2: NanoCore.ClientPlugin 0x4735dd:$a2: NanoCore.ClientPlugin 0x48af54:$a2: NanoCore.ClientPlugin 0x4b0b93:$a2: NanoCore.ClientPlugin
Process Memory Space: MSBuild.exe PID: 5980	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 5980	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc0d:$a: NanoCore 0x19cda:$a: NanoCore 0x2960d:$a: NanoCore 0x29621:$a: NanoCore 0x48efb:$a: NanoCore 0x48f54:$a: NanoCore 0x48f91:$a: NanoCore 0x4900a:$a: NanoCore 0x498af:$a: NanoCore 0x49902:$a: NanoCore 0x4993b:$a: NanoCore 0x499ae:$a: NanoCore 0x697b4:$a: NanoCore 0x697c9:$a: NanoCore 0x697fe:$a: NanoCore 0x6e980:$a: NanoCore 0x6e993:$a: NanoCore 0x6e9c5:$a: NanoCore 0x9706a:$a: NanoCore 0x970c3:$a: NanoCore 0x97100:$a: NanoCore
Process Memory Space: MSBuild.exe PID: 5980	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x48f91:$a1: NanoCore.ClientPluginHost 0x697fe:$a1: NanoCore.ClientPluginHost 0x97100:$a1: NanoCore.ClientPluginHost 0x48f54:$a2: NanoCore.ClientPlugin 0x697c9:$a2: NanoCore.ClientPlugin 0x970c3:$a2: NanoCore.ClientPlugin 0x492f7:$b1: get_BuilderSettings 0x6e5d0:$b1: get_BuilderSettings 0x9747a:$b1: get_BuilderSettings 0x48fdf:$b4: IClientAppHost 0x9714e:$b4: IClientAppHost 0x49368:$b6: AddHostEntry 0x974eb:$b6: AddHostEntry 0x493d7:$b7: LogClientException 0x6e53f:$b7: LogClientException 0x9755a:$b7: LogClientException 0x4934c:$b8: PipeExists 0x974cf:$b8: PipeExists 0x48fcc:$b9: IClientLoggingHost 0x69818:$b9: IClientLoggingHost 0x9713b:$b9: IClientLoggingHost
Process Memory Space: znytpstdcrwsisx.exe PID: 5292	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6a7a1:$x1: NanoCore.ClientPluginHost 0x82152:$x1: NanoCore.ClientPluginHost 0x1139e8:$x1: NanoCore.ClientPluginHost 0x1304d9:$x1: NanoCore.ClientPluginHost 0x14e165:$x1: NanoCore.ClientPluginHost 0x1715d2:$x1: NanoCore.ClientPluginHost 0x1aaca5:$x1: NanoCore.ClientPluginHost 0x1ee530:$x1: NanoCore.ClientPluginHost 0x213ba1:$x1: NanoCore.ClientPluginHost 0x23d02d:$x1: NanoCore.ClientPluginHost 0x254db6:$x1: NanoCore.ClientPluginHost 0x26d215:$x1: NanoCore.ClientPluginHost 0x2863f3:$x1: NanoCore.ClientPluginHost 0x2a2098:$x1: NanoCore.ClientPluginHost 0x6a7de:$x2: IClientNetworkHost 0x8218f:$x2: IClientNetworkHost 0x113a25:$x2: IClientNetworkHost 0x130516:$x2: IClientNetworkHost 0x14e1a2:$x2: IClientNetworkHost 0x17160f:$x2: IClientNetworkHost 0x1aace2:$x2: IClientNetworkHost
Process Memory Space: znytpstdcrwsisx.exe PID: 5292	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: znytpstdcrwsisx.exe PID: 5292	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6a46e:$a: NanoCore 0x6a47e:$a: NanoCore 0x6a53d:$a: NanoCore 0x6a54c:$a: NanoCore 0x6a74d:$a: NanoCore 0x6a761:$a: NanoCore 0x6a7a1:$a: NanoCore 0x759bf:$a: NanoCore 0x759d1:$a: NanoCore 0x75a0d:$a: NanoCore 0x81e1f:$a: NanoCore 0x81e2f:$a: NanoCore 0x81eee:$a: NanoCore 0x81efd:$a: NanoCore 0x820fe:$a: NanoCore 0x82112:$a: NanoCore 0x82152:$a: NanoCore 0x8d370:$a: NanoCore 0x8d382:$a: NanoCore 0x8d3be:$a: NanoCore 0x1136b5:$a: NanoCore
Process Memory Space: znytpstdcrwsisx.exe PID: 5292	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6a7a1:$a1: NanoCore.ClientPluginHost 0x82152:$a1: NanoCore.ClientPluginHost 0x1139e8:$a1: NanoCore.ClientPluginHost 0x1304d9:$a1: NanoCore.ClientPluginHost 0x14e165:$a1: NanoCore.ClientPluginHost 0x1715d2:$a1: NanoCore.ClientPluginHost 0x1aaca5:$a1: NanoCore.ClientPluginHost 0x1ee530:$a1: NanoCore.ClientPluginHost 0x213ba1:$a1: NanoCore.ClientPluginHost 0x23d02d:$a1: NanoCore.ClientPluginHost 0x254db6:$a1: NanoCore.ClientPluginHost 0x26d215:$a1: NanoCore.ClientPluginHost 0x2863f3:$a1: NanoCore.ClientPluginHost 0x2a2098:$a1: NanoCore.ClientPluginHost 0x6a761:$a2: NanoCore.ClientPlugin 0x82112:$a2: NanoCore.ClientPlugin 0x1139a8:$a2: NanoCore.ClientPlugin 0x130499:$a2: NanoCore.ClientPlugin 0x14e125:$a2: NanoCore.ClientPlugin 0x171592:$a2: NanoCore.ClientPlugin 0x1aac65:$a2: NanoCore.ClientPlugin
Process Memory Space: MSBuild.exe PID: 5944	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xc6d4:$x1: NanoCore.ClientPluginHost 0xf7a6:$x1: NanoCore.ClientPluginHost 0x2e530:$x1: NanoCore.ClientPluginHost 0xc6ee:$x2: IClientNetworkHost 0xf7e3:$x2: IClientNetworkHost 0x2e54a:$x2: IClientNetworkHost 0x132d4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e35a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: MSBuild.exe PID: 5944	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 5944	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5b7:$a: NanoCore 0xf41:$a: NanoCore 0x3708:$a: NanoCore 0x3775:$a: NanoCore 0x37e8:$a: NanoCore 0xc63e:$a: NanoCore 0xc697:$a: NanoCore 0xc6d4:$a: NanoCore 0xc74d:$a: NanoCore 0xced9:$a: NanoCore 0xcf2c:$a: NanoCore 0xcf65:$a: NanoCore 0xcfd8:$a: NanoCore 0xdc1b:$a: NanoCore 0xdc72:$a: NanoCore 0xf473:$a: NanoCore 0xf483:$a: NanoCore 0xf542:$a: NanoCore 0xf551:$a: NanoCore 0xf752:$a: NanoCore 0xf766:$a: NanoCore
Process Memory Space: MSBuild.exe PID: 5944	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xc6d4:$a1: NanoCore.ClientPluginHost 0xf7a6:$a1: NanoCore.ClientPluginHost 0x2e530:$a1: NanoCore.ClientPluginHost 0xc697:$a2: NanoCore.ClientPlugin 0xf766:$a2: NanoCore.ClientPlugin 0x2e4f3:$a2: NanoCore.ClientPlugin 0x5e7b:$b1: get_BuilderSettings 0x1167d:$b1: get_BuilderSettings 0x2e8aa:$b1: get_BuilderSettings 0xf527:$b2: ClientLoaderForm.resources 0x10d9d:$b3: PluginCommand 0xc722:$b4: IClientAppHost 0xf797:$b4: IClientAppHost 0x2e57e:$b4: IClientAppHost 0x19bd0:$b5: GetBlockHash 0xca2d:$b6: AddHostEntry 0x11cd5:$b6: AddHostEntry 0x1cdf4:$b6: AddHostEntry 0x2e91b:$b6: AddHostEntry 0x5dea:$b7: LogClientException 0x159c8:$b7: LogClientException
Click to see the 150 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.MSBuild.exe.31e3c74.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.MSBuild.exe.31e3c74.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.MSBuild.exe.31e3c74.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
7.2.MSBuild.exe.31e3c74.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
1.2.MSBuild.exe.5640000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.MSBuild.exe.5640000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.MSBuild.exe.5640000.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
1.2.MSBuild.exe.5640000.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
1.2.MSBuild.exe.59f0000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.MSBuild.exe.59f0000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.MSBuild.exe.59f0000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.MSBuild.exe.59f0000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
1.2.MSBuild.exe.59f0000.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
7.2.MSBuild.exe.4209c8e.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
7.2.MSBuild.exe.4209c8e.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
7.2.MSBuild.exe.4209c8e.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.MSBuild.exe.4209c8e.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d59a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5cf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d58e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5b0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5bf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5e9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
7.2.MSBuild.exe.4209c8e.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
7.2.MSBuild.exe.4209c8e.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5cf:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d59a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x32515:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x32484:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5e9:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.14568c0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.3.znytpstdcrwsisx.exe.14568c0.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.14568c0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.3.znytpstdcrwsisx.exe.14568c0.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
7.2.MSBuild.exe.420eac4.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.MSBuild.exe.420eac4.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.MSBuild.exe.420eac4.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.MSBuild.exe.420eac4.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
7.2.MSBuild.exe.420eac4.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
1.2.MSBuild.exe.59f0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
1.2.MSBuild.exe.59f0000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
1.2.MSBuild.exe.59f0000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.MSBuild.exe.59f0000.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
1.2.MSBuild.exe.59f0000.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.14568c0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.3.znytpstdcrwsisx.exe.14568c0.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.14568c0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.3.znytpstdcrwsisx.exe.14568c0.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
7.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.MSBuild.exe.42130ed.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
7.2.MSBuild.exe.42130ed.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
7.2.MSBuild.exe.42130ed.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.MSBuild.exe.42130ed.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x2413b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24170:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x2412f:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24151:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24160:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x2418a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x2419d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241b0:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241be:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241da:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
7.2.MSBuild.exe.42130ed.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24170:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x2413b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290b6:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x29025:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x2418a:$b9: IClientLoggingHost
7.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
7.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
1.2.MSBuild.exe.59f4629.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
1.2.MSBuild.exe.59f4629.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
1.2.MSBuild.exe.59f4629.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.MSBuild.exe.59f4629.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
1.2.MSBuild.exe.59f4629.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
7.2.MSBuild.exe.420eac4.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
7.2.MSBuild.exe.420eac4.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
7.2.MSBuild.exe.420eac4.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.MSBuild.exe.420eac4.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28764:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28799:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28758:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2877a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28789:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287b3:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287c6:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287d9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287e7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x28803:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
7.2.MSBuild.exe.420eac4.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28799:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28764:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6df:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d64e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287b3:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.14568c0.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.3.znytpstdcrwsisx.exe.14568c0.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.14568c0.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.3.znytpstdcrwsisx.exe.14568c0.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
1.2.MSBuild.exe.2dd16f8.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.MSBuild.exe.2dd16f8.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.MSBuild.exe.2dd16f8.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
1.2.MSBuild.exe.2dd16f8.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.3.znytpstdcrwsisx.exe.14568c0.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.3.znytpstdcrwsisx.exe.14568c0.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.3.znytpstdcrwsisx.exe.14568c0.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
6.3.znytpstdcrwsisx.exe.14568c0.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.3.znytpstdcrwsisx.exe.14568c0.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x103ad:$x1: NanoCore.ClientPluginHost 0x53705:$x1: NanoCore.ClientPluginHost 0xd69cd:$x1: NanoCore.ClientPluginHost 0x103ea:$x2: IClientNetworkHost 0x53742:$x2: IClientNetworkHost 0xd6a0a:$x2: IClientNetworkHost 0x13f1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x57275:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xda53d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x10115:$x1: NanoCore Client 0x10125:$x1: NanoCore Client 0x5346d:$x1: NanoCore Client 0x5347d:$x1: NanoCore Client 0xd6735:$x1: NanoCore Client 0xd6745:$x1: NanoCore Client 0x1036d:$x2: NanoCore.ClientPlugin 0x536c5:$x2: NanoCore.ClientPlugin 0xd698d:$x2: NanoCore.ClientPlugin 0x103ad:$x3: NanoCore.ClientPluginHost 0x53705:$x3: NanoCore.ClientPluginHost 0xd69cd:$x3: NanoCore.ClientPluginHost 0x10362:$i1: IClientApp 0x536ba:$i1: IClientApp 0xd6982:$i1: IClientApp 0x10383:$i2: IClientData 0x536db:$i2: IClientData 0xd69a3:$i2: IClientData 0x1038f:$i3: IClientNetwork 0x536e7:$i3: IClientNetwork 0xd69af:$i3: IClientNetwork
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10115:$a: NanoCore 0x10125:$a: NanoCore 0x10359:$a: NanoCore 0x1036d:$a: NanoCore 0x103ad:$a: NanoCore 0x5346d:$a: NanoCore 0x5347d:$a: NanoCore 0x536b1:$a: NanoCore 0x536c5:$a: NanoCore 0x53705:$a: NanoCore 0xd6735:$a: NanoCore 0xd6745:$a: NanoCore 0xd6979:$a: NanoCore 0xd698d:$a: NanoCore 0xd69cd:$a: NanoCore 0x10174:$b: ClientPlugin 0x10376:$b: ClientPlugin 0x103b6:$b: ClientPlugin 0x534cc:$b: ClientPlugin 0x536ce:$b: ClientPlugin 0x5370e:$b: ClientPlugin
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x103ad:$a1: NanoCore.ClientPluginHost 0x53705:$a1: NanoCore.ClientPluginHost 0xd69cd:$a1: NanoCore.ClientPluginHost 0x1036d:$a2: NanoCore.ClientPlugin 0x536c5:$a2: NanoCore.ClientPlugin 0xd698d:$a2: NanoCore.ClientPlugin 0x122c6:$b1: get_BuilderSettings 0x5561e:$b1: get_BuilderSettings 0xd88e6:$b1: get_BuilderSettings 0x101c9:$b2: ClientLoaderForm.resources 0x53521:$b2: ClientLoaderForm.resources 0xd67e9:$b2: ClientLoaderForm.resources 0x119e6:$b3: PluginCommand 0x54d3e:$b3: PluginCommand 0xd8006:$b3: PluginCommand 0x1039e:$b4: IClientAppHost 0x536f6:$b4: IClientAppHost 0xd69be:$b4: IClientAppHost 0x1a81e:$b5: GetBlockHash 0x5db76:$b5: GetBlockHash 0xe0e3e:$b5: GetBlockHash
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4cfa5:$x1: NanoCore.ClientPluginHost 0x1135c5:$x1: NanoCore.ClientPluginHost 0x4cfe2:$x2: IClientNetworkHost 0x113602:$x2: IClientNetworkHost 0x50b15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x117135:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4cd0d:$x1: NanoCore Client 0x4cd1d:$x1: NanoCore Client 0x11332d:$x1: NanoCore Client 0x11333d:$x1: NanoCore Client 0x4cf65:$x2: NanoCore.ClientPlugin 0x113585:$x2: NanoCore.ClientPlugin 0x4cfa5:$x3: NanoCore.ClientPluginHost 0x1135c5:$x3: NanoCore.ClientPluginHost 0x4cf5a:$i1: IClientApp 0x11357a:$i1: IClientApp 0x4cf7b:$i2: IClientData 0x11359b:$i2: IClientData 0x4cf87:$i3: IClientNetwork 0x1135a7:$i3: IClientNetwork 0x4cf96:$i4: IClientAppHost 0x1135b6:$i4: IClientAppHost 0x4cfbf:$i5: IClientDataHost 0x1135df:$i5: IClientDataHost 0x4cfcf:$i6: IClientLoggingHost 0x1135ef:$i6: IClientLoggingHost 0x4cfe2:$i7: IClientNetworkHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4cd0d:$a: NanoCore 0x4cd1d:$a: NanoCore 0x4cf51:$a: NanoCore 0x4cf65:$a: NanoCore 0x4cfa5:$a: NanoCore 0x11332d:$a: NanoCore 0x11333d:$a: NanoCore 0x113571:$a: NanoCore 0x113585:$a: NanoCore 0x1135c5:$a: NanoCore 0x4cd6c:$b: ClientPlugin 0x4cf6e:$b: ClientPlugin 0x4cfae:$b: ClientPlugin 0x11338c:$b: ClientPlugin 0x11358e:$b: ClientPlugin 0x1135ce:$b: ClientPlugin 0x4ce93:$c: ProjectData 0x1134b3:$c: ProjectData 0x4d89a:$d: DESCrypto 0x113eba:$d: DESCrypto 0x55266:$e: KeepAlive
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4cfa5:$a1: NanoCore.ClientPluginHost 0x1135c5:$a1: NanoCore.ClientPluginHost 0x4cf65:$a2: NanoCore.ClientPlugin 0x113585:$a2: NanoCore.ClientPlugin 0x4eebe:$b1: get_BuilderSettings 0x1154de:$b1: get_BuilderSettings 0x4cdc1:$b2: ClientLoaderForm.resources 0x1133e1:$b2: ClientLoaderForm.resources 0x4e5de:$b3: PluginCommand 0x114bfe:$b3: PluginCommand 0x4cf96:$b4: IClientAppHost 0x1135b6:$b4: IClientAppHost 0x57416:$b5: GetBlockHash 0x11da36:$b5: GetBlockHash 0x4f516:$b6: AddHostEntry 0x115b36:$b6: AddHostEntry 0x53209:$b7: LogClientException 0x119829:$b7: LogClientException 0x4f483:$b8: PipeExists 0x115aa3:$b8: PipeExists 0x4cfcf:$b9: IClientLoggingHost
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x25af35:$x1: NanoCore.ClientPluginHost 0x26a485:$x1: NanoCore.ClientPluginHost 0x31c955:$x1: NanoCore.ClientPluginHost 0x25af72:$x2: IClientNetworkHost 0x26a4c2:$x2: IClientNetworkHost 0x31c992:$x2: IClientNetworkHost 0x26dff5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3204c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x25ac9d:$x1: NanoCore Client 0x25acad:$x1: NanoCore Client 0x26a1ed:$x1: NanoCore Client 0x26a1fd:$x1: NanoCore Client 0x31c6bd:$x1: NanoCore Client 0x31c6cd:$x1: NanoCore Client 0x25aef5:$x2: NanoCore.ClientPlugin 0x26a445:$x2: NanoCore.ClientPlugin 0x31c915:$x2: NanoCore.ClientPlugin 0x25af35:$x3: NanoCore.ClientPluginHost 0x26a485:$x3: NanoCore.ClientPluginHost 0x31c955:$x3: NanoCore.ClientPluginHost 0x25aeea:$i1: IClientApp 0x26a43a:$i1: IClientApp 0x31c90a:$i1: IClientApp 0x25af0b:$i2: IClientData 0x26a45b:$i2: IClientData 0x31c92b:$i2: IClientData 0x25af17:$i3: IClientNetwork 0x26a467:$i3: IClientNetwork 0x31c937:$i3: IClientNetwork
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x25ac9d:$a: NanoCore 0x25acad:$a: NanoCore 0x25aee1:$a: NanoCore 0x25aef5:$a: NanoCore 0x25af35:$a: NanoCore 0x26a1ed:$a: NanoCore 0x26a1fd:$a: NanoCore 0x26a431:$a: NanoCore 0x26a445:$a: NanoCore 0x26a485:$a: NanoCore 0x31c6bd:$a: NanoCore 0x31c6cd:$a: NanoCore 0x31c901:$a: NanoCore 0x31c915:$a: NanoCore 0x31c955:$a: NanoCore 0x25acfc:$b: ClientPlugin 0x25aefe:$b: ClientPlugin 0x25af3e:$b: ClientPlugin 0x26a24c:$b: ClientPlugin 0x26a44e:$b: ClientPlugin 0x26a48e:$b: ClientPlugin
0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x25af35:$a1: NanoCore.ClientPluginHost 0x26a485:$a1: NanoCore.ClientPluginHost 0x31c955:$a1: NanoCore.ClientPluginHost 0x25aef5:$a2: NanoCore.ClientPlugin 0x26a445:$a2: NanoCore.ClientPlugin 0x31c915:$a2: NanoCore.ClientPlugin 0x25ce4e:$b1: get_BuilderSettings 0x26c39e:$b1: get_BuilderSettings 0x31e86e:$b1: get_BuilderSettings 0x25ad51:$b2: ClientLoaderForm.resources 0x26a2a1:$b2: ClientLoaderForm.resources 0x31c771:$b2: ClientLoaderForm.resources 0x25c56e:$b3: PluginCommand 0x26babe:$b3: PluginCommand 0x31df8e:$b3: PluginCommand 0x25af26:$b4: IClientAppHost 0x26a476:$b4: IClientAppHost 0x31c946:$b4: IClientAppHost 0x2748f6:$b5: GetBlockHash 0x3265c6:$b5: GetBlockHash 0x25d4a6:$b6: AddHostEntry
Click to see the 190 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 5980, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, ProcessId: 7044, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentProcessId: 5980, ParentProcessName: MSBuild.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp, ProcessId: 5916, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264971118962025019 06/04/23-11:28:18.475887
SID:	2025019
Source Port:	49711
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264971718962025019 06/04/23-11:28:50.523433
SID:	2025019
Source Port:	49717
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264970718962025019 06/04/23-11:27:57.173727
SID:	2025019
Source Port:	49707
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264971218962025019 06/04/23-11:28:23.420896
SID:	2025019
Source Port:	49712
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264971318962025019 06/04/23-11:28:28.432846
SID:	2025019
Source Port:	49713
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264971918962025019 06/04/23-11:29:00.977409
SID:	2025019
Source Port:	49719
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264971818962025019 06/04/23-11:28:55.916794
SID:	2025019
Source Port:	49718
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264970518962025019 06/04/23-11:27:45.907549
SID:	2025019
Source Port:	49705
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264969918962025019 06/04/23-11:27:14.981963
SID:	2025019
Source Port:	49699
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264970618962025019 06/04/23-11:27:50.915043
SID:	2025019
Source Port:	49706
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264970118962025019 06/04/23-11:27:25.413836
SID:	2025019
Source Port:	49701
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.264970018962025019 06/04/23-11:27:20.405611
SID:	2025019
Source Port:	49700
Destination Port:	1896
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2ad4e32f-c687-4329-b5e5-302ef0e0", "Group": "Default", "Domain1": "nickdns22.duckdns.org", "Domain2": "127.0.0.1", "Port": 1896, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	ReversingLabs: Detection: 70%
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Virustotal: Detection: 65%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

Avira: detection malicious, Label: DR/AutoIt.Gen8

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

ReversingLabs: Detection: 80%

Yara detected Nanocore RAT

Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: indows\MSBuild.pdbpdbild.pdbs source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372161750.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbf source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Agent\_work\24\s\Win32\Release\junction.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: remoting_desktop.exe.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr
Source:	Binary string: C:\agent\_work\93\s\Win32\Release Console\autorunsc.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372161750.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49699 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49700 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49701 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49705 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49706 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49707 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49711 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49712 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49713 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49717 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49718 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49719 -> 192.169.69.26:1896

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: nickdns22.duckdns.org
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: nickdns22.duckdns.org

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.225.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: http://citationstyles.org/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab:
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: http://p.yusukekamiyamane.com/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: http://support.mendeley.com/customer/portal/articles/227955
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.com
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comFileVersionLegalCopyright
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: http://www.sysinternals.comFileVersionLegalCopyrightLISTBOXDEL:AllUsersuserComputerscomputerGroupsgr
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.364770823.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comWindowPositionSOFTWARE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comopenConnection
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comopenThe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://citationstyles.org
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://csl.mendeley.com
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://github.com/Juris-M/citeproc-js
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://github.com/citation-style-language/styles
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ims-na1-stg1.adobelogin.com
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ims-prod06.adobelogin.com
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-cops-dev.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-cops-dev.adobe.iohttps://lcs-cops-stage.adobe.iohttps://lcs-cops.adobe.iohttps://lcs-rob
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-cops-stage.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-cops.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-robs-dev.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-robs-stage.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-robs.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-ulecs-dev.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-ulecs-stage.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-ulecs.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://plasma.kde.org
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://rrchnm.org/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/19611/kw/duplicates/supporthub/mendeley/Yes
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/22094/kw/migrate/supporthub/mendeley/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contac
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQ
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.elsevier.com/legal/elsevier-website-terms-and-conditions
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.elsevier.com/legal/privacy-policy
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.gmu.edu/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.mendeley.com/library
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-website
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.sysinternals.comntdllRtlInitUnicodeStringNtOpenDirectoryObjectNtQuerySectionNtQueryDirec
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.virustotal.com/about/terms-of-service%s
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.virustotal.com/en/about/terms-of-service/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.virustotal.comPOST4e3202fdbe953d628f650229af5b3eb49cd46b2d3bfe5546ae3c5fa48b554e0capikey
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.zotero.org/

Source: unknown

DNS traffic detected: queries for: nickdns22.duckdns.org

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Code function: 1_2_05022AC6 WSARecv,

Source: MSBuild.exe, 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.MSBuild.exe.2dd16f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.MSBuild.exe.2dd16f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.MSBuild.exe.2dd16f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.630789913.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 5980, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 5980, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.364108293.000000000487B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.364108293.000000000487B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000000.361773437.000000000037E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000000.361773437.000000000037E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 0SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C "!CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: znytpstdcrwsisx.exe, 00000006.00000002.411194467.0000000000E9E000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: znytpstdcrwsisx.exe, 00000006.00000002.411194467.0000000000E9E000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.MSBuild.exe.2dd16f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.2dd16f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.2dd16f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.MSBuild.exe.2dd16f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.630789913.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 5980, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 5980, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E17AC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_02918678
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_02919278
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_029123A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_02912FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_02913850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0291AD18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0291933F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_02919B20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0291306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 4_2_05651DF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 4_2_05650708
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 7_2_02E423A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 7_2_02E42FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 7_2_02E43850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 7_2_02E4306F

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05023012 NtQuerySystemInformation,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05022FD7 NtQuerySystemInformation,

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.000000000542E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.364770823.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Source: znytpstdcrwsisx.exe.0.dr	Static PE information: Number of sections : 72 > 10
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Number of sections : 72 > 10

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	ReversingLabs: Detection: 70%
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

File read: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Jump to behavior

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe "C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe"
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05022DD2 AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05022D9B AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

File created: C:\Users\user\AppData\Roaming\hdoydskbdx

Jump to behavior

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

File created: C:\Users\user\AppData\Local\Temp\aut8DF8.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@11/9@12/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3676:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2ad4e32f-c687-4329-b5e5-302ef0e0906d}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3100:120:WilError_01

Source: MSBuild.exe, 00000004.00000002.393114971.00000000034B1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: *.sln

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: /cite/word/install
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: Couldn't find documents: You have selected documents from both My Library a Shared Group, or from multiple Shared Groups, which is not supported.Documents in multiple groupsPlease select the documents you wish to cite.importing %1 documents from plugin into ??geometry/newLibrarySplittergeometry/horizontalSplittergeometry/verticalSplitterSynchronizing - Step %1 of %2GroupFilterCollectionDeletedFilter1trigger()Synchronizing Zotero - Step %1 of %22duplicateSearchStarted(WorkerJob::Pointer)1highlightAndScrollTo(QList<Document::Pointer>)2allJobsFinished(QList<Document::Pointer>)Invite/invite/?dgcid=Mendeley_Desktop_Invite-colleagues/cite/word/install/importshowSignInmendeley://loginshowJoinMendeleyFormmendeley://registerDelete this document from your library?Delete %1 documents from your library?
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: 1openHelpGuides()Help Guides1openMendeleyWebsite()Mendeley Website1openFAQ()FAQ1openContactSupport()Contact SupportCheck for UpdatesCheck Now1toggleCheckForPreviewUpdates()Create Backup...1openMendeleyPrivacyPolicy()Privacy Policy1openMendeleyTandCs()Terms and Conditions1showAbout()https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-websitehttps://www.elsevier.com/legal/elsevier-website-terms-and-conditionshttps://www.elsevier.com/legal/privacy-policyhttps://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQhttps://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contact-SupportOpt-out of Experimental ReleasesOpt-in to Experimental Releases
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: Try '%ls --help' for more information.

Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Static file information: File size 4967948 > 1048576

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: indows\MSBuild.pdbpdbild.pdbs source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372161750.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbf source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Agent\_work\24\s\Win32\Release\junction.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: remoting_desktop.exe.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr
Source:	Binary string: C:\agent\_work\93\s\Win32\Release Console\autorunsc.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372161750.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E174AC push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E174B8 push ebp; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E1549B push edi; retn 0000h
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E19D5C push 7800E1CBh; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E19E34 pushfd ; retf

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: eSkkNGPG
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: PTcLNQBR
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: uhxZiqpZ
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: bMgQsjaV
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: GBMbimfi
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: DgfAMsww
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: rSvCgsmi
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: YskjstAT
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: LoVCKuYF
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: WVocwQqb
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: oSCGvaQZ
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: yZjSVOZX
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: QXbsjhZl
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: yyMCijkk
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: mpFeMMWO
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: lykrKTJc
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: uiehIGyj
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: zVFOZMAw
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: YlpJAimU
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: JwzqdXdu
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: UGiiFcPP
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: WQbVwRsn
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: tPcESPxm
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: aJkBpZiD
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: oVRlQlUl
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: kJDrTOOv
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: dPNhZlJs
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: tpgvdaSU
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: stGTwKsk
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: NWtntEHY
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: SeCKBtus
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: YLnRofwZ
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: ITlNviCX
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: xXKSfIFI
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: rzHoctSy
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: tqGkaUrY
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: XUULAqjj
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: OJKanVIF
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: XOKAQdyM
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: bvHwouBZ
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: emfUrPdE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: wDjKtsMK
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: mVRJZClE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: tOofDbnU
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: jMZzwYXU
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: nBeILfXx
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: vXOIjvTV
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: HdeHlMsv
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: INgZfirH
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: kDTxXhPW
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: WGoHkNIX
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: KQZwnOJl
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: TIucAObT
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: LbFXKCFw
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: zVPYqkoM
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: FueMosXg
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: iRDivbUE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: qqDFgVrq
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: NoZwckKd
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: xegiIWpk
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: lFLuySNA
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: yfUTtHPf
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: HFrIlBYb
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: NCFRXlWT
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: DOngBUEn
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: XkEBteUo
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: JfnpBUQQ
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: eSkkNGPG
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: PTcLNQBR
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: uhxZiqpZ
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: bMgQsjaV
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: GBMbimfi
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: DgfAMsww
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: rSvCgsmi
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: YskjstAT
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: LoVCKuYF
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: WVocwQqb
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: oSCGvaQZ
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: yZjSVOZX
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: QXbsjhZl
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: yyMCijkk
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: mpFeMMWO
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: lykrKTJc
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: uiehIGyj
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: zVFOZMAw
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: YlpJAimU
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: JwzqdXdu
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: UGiiFcPP
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: WQbVwRsn
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: tPcESPxm
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: aJkBpZiD
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: oVRlQlUl
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: kJDrTOOv
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: dPNhZlJs
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: tpgvdaSU
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: stGTwKsk
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: NWtntEHY
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: SeCKBtus
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: YLnRofwZ
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: ITlNviCX
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: xXKSfIFI
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: rzHoctSy
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: tqGkaUrY
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: XUULAqjj
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: OJKanVIF
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: XOKAQdyM
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: bvHwouBZ
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: emfUrPdE
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: wDjKtsMK
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: mVRJZClE
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: tOofDbnU
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: jMZzwYXU
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: nBeILfXx
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: vXOIjvTV
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: HdeHlMsv
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: INgZfirH
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: kDTxXhPW
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: WGoHkNIX
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: KQZwnOJl
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: TIucAObT
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: LbFXKCFw
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: zVPYqkoM
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: FueMosXg
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: iRDivbUE
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: qqDFgVrq
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: NoZwckKd
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: xegiIWpk
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: lFLuySNA
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: yfUTtHPf
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: HFrIlBYb
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: NCFRXlWT
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: DOngBUEn
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: XkEBteUo
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: JfnpBUQQ

Source: znytpstdcrwsisx.exe.0.dr	Static PE information: real checksum: 0x12035b should be: 0x4c650c
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: real checksum: 0x12035b should be: 0x4c8c6f

Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

File created: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url

Jump to behavior

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url

Jump to behavior

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IIRP_MJ_FASTIO_PROCMON.EXEPROCEXP.EXEAUTORUNS.EXESYSTEMPAGEFILE.SYS$MFT$MFTMIRR$LOGFILE$VOLUME$ATTRDEF$ROOT$BITMAP$BOOT$BADCLUS$SECURE$UPCASE$EXTENDFAST IOINCLUDEEXCLUDE<BAD>OKAY TO OVERWRITE EVENT LOG ''?AN ERROR OCCURRED OPENING THE SNAPSHOT ''APPLYING EVENT FILTEROPERATION CANCELLED: THE LISTVIEW DATA MAY BE INCOMPLETEPROCESS MONITOR CAN OPEN AT MOST BACKING FILES<PAGEFILE>YESNOEVENTPROCESSINDEXSTACKFRAMEDEPTHADDRESS + PATHLOCATIONPROCESSPROCESSIDPARENTPROCESSIDPARENTPROCESSINDEXAUTHENTICATIONIDCREATETIMEFINISHTIMEISVIRTUALIZEDIS64BITINTEGRITYOWNERPROCESSNAMECOMMANDLINECOMPANYNAMEVERSIONDESCRIPTIONMODULELISTMODULETIMESTAMPBASEADDRESSSIZECOMPANYPROCESS MONITOR - EXPORTING EVENT DATAWT, CCS=UTF-8"%S"
Source: znytpstdcrwsisx.exe, 00000006.00000003.407665734.0000000001660000.00000004.00000020.00020000.00000000.sdmp, znytpstdcrwsisx.exe, 00000006.00000002.412419937.0000000001660000.00000004.00000020.00020000.00000000.sdmp, znytpstdcrwsisx.exe, 00000006.00000003.407387450.0000000001659000.00000004.00000020.00020000.00000000.sdmp, znytpstdcrwsisx.exe, 00000006.00000003.407487257.0000000001660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIECTRL.EXE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.390170315.000000000138A000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.383953493.000000000138A000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.389792384.000000000138A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIECTRL.EXEI0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6840	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4184	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5580	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Window / User API: foregroundWindowGot 844

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Process information queried: ProcessInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Code function: 1_2_0502140A GetSystemInfo,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: MSBuild.exe, 00000001.00000002.629865892.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.389792384.000000000138A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.exeG-
Source: MSBuild.exe, 00000001.00000002.629865892.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: znytpstdcrwsisx.exe, 00000006.00000003.407487257.0000000001660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.exe&44

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Code function: 0_2_04FE0175 mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Code function: 0_2_04FE0175 mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Code function: 0_2_04FE05B5 mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Code function: 0_2_04FE0365 mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Code function: 0_2_04FE0405 mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 6_2_020B0175 mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 6_2_020B0175 mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 6_2_020B05B5 mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 6_2_020B0365 mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 6_2_020B0405 mov edx, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 891008
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: C61008

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Source: MSBuild.exe, 00000001.00000003.446100964.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.630789913.0000000003045000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.630789913.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000001.00000003.446100964.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000003.594171004.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000003.592088557.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managersoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: MSBuild.exe, 00000001.00000002.630789913.0000000003045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: MSBuild.exe, 00000001.00000002.629865892.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerT
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Reader /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplication{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcroExch.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\NotificationAppxSOFTWARE\Adobe\Acrobat Reader\\DC\SOFTWARE\Adobe\Acrobat Reader\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstoreAdobe Reader XIRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrd
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplicationSOFTWARE\Adobe\Adobe Acrobat\{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 IS_COEX_REPAIR=1 /qn/i msiexec.exe/i AppDoNotTakePDFOwnershipAtLaunch ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qnmsiexec.exeAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Dev
Source: MSBuild.exe, 00000001.00000002.629865892.0000000000F27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managery

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Code function: 0_2_00302DE3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000002.630789913.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000002.630789913.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSBuild.exe, 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: znytpstdcrwsisx.exe, 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: znytpstdcrwsisx.exe, 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSBuild.exe, 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0502260A bind,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_050225B8 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Access Token Manipulation	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	2 Registry Run Keys / Startup Folder	312 Process Injection	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Remote Access Software	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	312 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	22 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	70%	ReversingLabs	Win32.Trojan.Nymeria
Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	65%	Virustotal		Browse
Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	100%	Avira	DR/AutoIt.Gen8

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	100%	Avira	DR/AutoIt.Gen8
C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	81%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
nickdns22.duckdns.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.sysinternals.comopenThe	0%	URL Reputation	safe
nickdns22.duckdns.org	0%	Avira URL Cloud	safe
nickdns22.duckdns.org	2%	Virustotal		Browse
http://www.sysinternals.comFileVersionLegalCopyrightLISTBOXDEL:AllUsersuserComputerscomputerGroupsgr	0%	Avira URL Cloud	safe
https://rrchnm.org/	0%	Virustotal		Browse
https://rrchnm.org/	0%	Avira URL Cloud	safe
http://www.sysinternals.comopenConnection	0%	Avira URL Cloud	safe
http://www.sysinternals.comWindowPositionSOFTWARE	0%	Avira URL Cloud	safe
https://www.virustotal.comPOST4e3202fdbe953d628f650229af5b3eb49cd46b2d3bfe5546ae3c5fa48b554e0capikey	0%	Avira URL Cloud	safe
https://www.sysinternals.comntdllRtlInitUnicodeStringNtOpenDirectoryObjectNtQuerySectionNtQueryDirec	0%	Avira URL Cloud	safe
http://www.sysinternals.comFileVersionLegalCopyright	0%	Avira URL Cloud	safe
127.0.0.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nickdns22.duckdns.org	192.169.69.26	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nickdns22.duckdns.org	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.zotero.org/	znytpstdcrwsisx.exe.0.dr	false		high
https://ims-prod06.adobelogin.com	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://ims-na1-stg1.adobelogin.com	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-website	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQ	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://crashpad.chromium.org/bug/new	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://www.gmu.edu/	znytpstdcrwsisx.exe.0.dr	false		high
https://csl.mendeley.com	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
http://www.sysinternals.com	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	false		high
http://support.mendeley.com/customer/portal/articles/227955	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://www.elsevier.com/legal/privacy-policy	znytpstdcrwsisx.exe.0.dr	false		high
https://www.virustotal.com/about/terms-of-service%s	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sysinternals.comopenThe	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://rrchnm.org/	znytpstdcrwsisx.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://creativecommons.org/licenses/by-sa/3.0/	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
http://www.sysinternals.comFileVersionLegalCopyrightLISTBOXDEL:AllUsersuserComputerscomputerGroupsgr	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false	Avira URL Cloud: safe	low
https://service.elsevier.com/app/answers/detail/a_id/19611/kw/duplicates/supporthub/mendeley/Yes	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://www.elsevier.com/legal/elsevier-website-terms-and-conditions	znytpstdcrwsisx.exe.0.dr	false		high
https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://clients2.google.com/service/update2/crxupdate_urlBrowser	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://p.yusukekamiyamane.com/	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://github.com/Juris-M/citeproc-js	znytpstdcrwsisx.exe.0.dr	false		high
http://www.sysinternals.comWindowPositionSOFTWARE	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.364770823.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contac	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://plasma.kde.org	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://www.mendeley.com/library	znytpstdcrwsisx.exe.0.dr	false		high
https://www.virustotal.com/en/about/terms-of-service/	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
http://citationstyles.org/	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
http://www.sysinternals.comopenConnection	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/citation-style-language/styles	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://www.virustotal.comPOST4e3202fdbe953d628f650229af5b3eb49cd46b2d3bfe5546ae3c5fa48b554e0capikey	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sysinternals.comntdllRtlInitUnicodeStringNtOpenDirectoryObjectNtQuerySectionNtQueryDirec	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.sysinternals.comFileVersionLegalCopyright	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citationstyles.org	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	false		high
https://service.elsevier.com/app/answers/detail/a_id/22094/kw/migrate/supporthub/mendeley/	znytpstdcrwsisx.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.169.69.26	nickdns22.duckdns.org	United States		23033	WOWUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	881372
Start date and time:	2023-06-04 11:26:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@11/9@12/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 20% (good quality ratio 20%) Quality average: 95.5% Quality standard deviation: 4.5%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
TCP Packets have been reduced to 100
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:27:12	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url
11:27:13	API Interceptor	834x Sleep call for process: MSBuild.exe modified
11:27:15	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" s>$(Arg0)

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	325
Entropy (8bit):	5.334380084018418
Encrypted:	false
SSDEEP:	6:Q3LadLCR22IAQykdL1tZbLsbFLIP12MUAvvro6ysGMFLIP12MUAvvrs:Q3LaJU20NaL1tZbgbe4MqJsGMe4M6
MD5:	65CE98936A67552310EFE2F0FF5BDF88
SHA1:	8133653A6B9A169C7496ADE315CED322CFC3613A
SHA-256:	682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
SHA-512:	2D00AC024267EC384720A400F6D0B4F7EDDF49FAF8AB3C9E6CBFBBAE90ECADACA9022B33E3E8EC92E4F57C7FC830299C8643235EB4AA7D8A6AFE9DD1775F57C3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\aut8DF8.tmp

Download File

Process:	C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
File Type:	data
Category:	dropped
Size (bytes):	207872
Entropy (8bit):	7.999050560075495
Encrypted:	true
SSDEEP:	6144:yfHioBK/DQ0vgnZ92J6yN8n59mrjuydK/znla5oC:yfOjvgb2JpNeorjOznA5oC
MD5:	D63A88D1A1B8198E665C1094E96488BC
SHA1:	427EA9EB92C1C20B647CECD78C6085B509BCC326
SHA-256:	68B951C18FA6D7FDD30A5EB01609BAB36677D1414A6EC2D5A25C327A7D7CB9B0
SHA-512:	9C79A3F8E506447F6B5D24E27CED80E4EE449245D3483741EBD27E89656423B0ABDE9AE8ADBEAB430566999E86E3E70A8FECB6FE7F515F327066FF42E7A9E236
Malicious:	false
Preview:	z.(+...!........;.N.......E............q..B....5.UTtw.Sf..aE.j.Ix.Tq....9..8w.PxA....-...xA&..'..mX........9.My..M-.2V0....,...M..q.....v...._..T67b5.Jb.S..Q!QQ..(ni....J..Y&..z..gj5...jH..G......s.7...0...u.AL......$....Y...S...i.....WJ.t.=......R..@...O2..sf.XQ......3.z....NQl.h....X .....:d.O.....1N...i6..EU..J8.....V.{.c.F..............A..C[....m...E..N..PZ.......{H..e~..I.......7..%..o .M+.B..~..../\Y=s..JX@.....f..s&..3..1Y..._:...c/......Tc.../A..>n.F.../.Z.U.i......}...+..i4\....Z#.....&.JD.."O.?.ou(u4%b..O..Tm.y.n...{.........t.~w?.0.3.Bx..)....e.-.][. ...QeH.n.....vM........m...RE..../(N.....H.up}.....v..l..ey.o.((O..#s.I.LX...j..9)...X.h..$%Vk.........ta_.~.....2V..X.@o..R.....`[.T...,.O..Q.H......s.C...J.w.......q.....wr...N.'W.r.;."jo.Z....?....z.....b.w.D..b\|...@......N;....^L....2..nx..-...~.+@....C.....A./6GJ.t..g.s.MA.R...rh.......1..*4.B..)...........V.HM..AB....zJ.`\|`...g....iwOd..Q..B..F.s.7.WS.-.@...6...l...j.a]U..-"!".!.

C:\Users\user\AppData\Local\Temp\cbmfpeiu

Download File

Process:	C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
File Type:	data
Category:	dropped
Size (bytes):	207872
Entropy (8bit):	7.999050560075495
Encrypted:	true
SSDEEP:	6144:yfHioBK/DQ0vgnZ92J6yN8n59mrjuydK/znla5oC:yfOjvgb2JpNeorjOznA5oC
MD5:	D63A88D1A1B8198E665C1094E96488BC
SHA1:	427EA9EB92C1C20B647CECD78C6085B509BCC326
SHA-256:	68B951C18FA6D7FDD30A5EB01609BAB36677D1414A6EC2D5A25C327A7D7CB9B0
SHA-512:	9C79A3F8E506447F6B5D24E27CED80E4EE449245D3483741EBD27E89656423B0ABDE9AE8ADBEAB430566999E86E3E70A8FECB6FE7F515F327066FF42E7A9E236
Malicious:	false
Preview:	z.(+...!........;.N.......E............q..B....5.UTtw.Sf..aE.j.Ix.Tq....9..8w.PxA....-...xA&..'..mX........9.My..M-.2V0....,...M..q.....v...._..T67b5.Jb.S..Q!QQ..(ni....J..Y&..z..gj5...jH..G......s.7...0...u.AL......$....Y...S...i.....WJ.t.=......R..@...O2..sf.XQ......3.z....NQl.h....X .....:d.O.....1N...i6..EU..J8.....V.{.c.F..............A..C[....m...E..N..PZ.......{H..e~..I.......7..%..o .M+.B..~..../\Y=s..JX@.....f..s&..3..1Y..._:...c/......Tc.../A..>n.F.../.Z.U.i......}...+..i4\....Z#.....&.JD.."O.?.ou(u4%b..O..Tm.y.n...{.........t.~w?.0.3.Bx..)....e.-.][. ...QeH.n.....vM........m...RE..../(N.....H.up}.....v..l..ey.o.((O..#s.I.LX...j..9)...X.h..$%Vk.........ta_.~.....2V..X.@o..R.....`[.T...,.O..Q.H......s.C...J.w.......q.....wr...N.'W.r.;."jo.Z....?....z.....b.w.D..b\|...@......N;....^L....2..nx..-...~.+@....C.....A./6GJ.t..g.s.MA.R...rh.......1..*4.B..)...........V.HM..AB....zJ.`\|`...g....iwOd..Q..B..F.s.7.WS.-.@...6...l...j.a]U..-"!".!.

C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.136963558289723
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnc2xtn:cbk4oL600QydbQxIYODOLedq3ZLj
MD5:	AE766004C0D8792953BAFFFE8F6A2E3B
SHA1:	14B12F27543A401E2FE0AF8052E116CAB0032426
SHA-256:	1ABDD9B6A6B84E4BA1AF1282DC84CE276C59BA253F4C4AF05FEA498A4FD99540
SHA-512:	E530DA4A5D4336FC37838D0E93B5EB3804B9C489C71F6954A47FC81A4C655BB72EC493E109CF96E6E3617D7623AC80697AD3BBD5FFC6281BAFC8B34DCA5E6567
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:a0Qn:/Qn
MD5:	0E18C253EB33804FAEB60D95384CE28F
SHA1:	5265FBE488A3AAB00CE74A325B5D6CA465A55142
SHA-256:	ADDCC29B2ABC88AC2C25A4F28879604E2F1CF0104A7A1CF6E0B16528FB50183F
SHA-512:	00D7DEE5D4A845629844DE6A41E373247524C8E187CF05C2B7AE3570C1DA2BC4E9E1892C90EE6F52399858406D6202C0929CBD3F35AC9A855EB7D84EE3FD6503
Malicious:	true
Preview:	..)Q)e.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.85263908467479
Encrypted:	false
SSDEEP:	3:oMty8WbSI1u:oMLWuI1u
MD5:	A35128E4E28B27328F70E4E8FF482443
SHA1:	B89066B2F8DB34299AABFD7ABEE402D5444DD079
SHA-256:	88AEA00733DC4B570A29D56A423CC5BF163E5ACE7AF349972EB0BBA8D9AD06E1
SHA-512:	F098E844B5373B34642B49B6E0F2E15CFDAA1A8B6CABC2196CEC0F3765289E5B1FD4AB588DD65F97C8E51FA9A81077621E9A06946859F296904C646906A70F33
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url

Download File

Process:	C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
File Type:	Generic INItialization configuration [InternetShortcut]
Category:	modified
Size (bytes):	186
Entropy (8bit):	4.970025311868907
Encrypted:	false
SSDEEP:	3:HRAbABGQYm5uOWXp5cViEaKC5D9c6AQI6ABGQYm5uOWXp5cViEaKC5D9c6AQA:HRYFVmwOWXp+NaZ5D+1YFVmwOWXp+Nay
MD5:	AC58C72B816D89CF6D82C181DF3FCD1C
SHA1:	ED37DDAD70163D899BF6DD12DBE4B839E147AE0A
SHA-256:	2B28DEC4AEE449EF1FD1FEC9E7C9CB29D967868CCFBD41E9CB1939DA8A202A7F
SHA-512:	0DD626181E2074E41D1FD55FF153DBD843D06B992B2CABB2B8ADB4DBDE0C993C915F2CDB45A362E5BC90751B015045E27725D09707D54DBEF344189954B45000
Malicious:	true
Yara Hits:	Rule: Methodology_Suspicious_Shortcut_Local_URL, Description: Detects local script usage for .URL persistence, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url, Author: @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Preview:	[InternetShortcut]..URL=file:///C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe[InternetShortcut]..URL=file:///C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

Download File

Process:	C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4967954
Entropy (8bit):	5.837705465010447
Encrypted:	false
SSDEEP:	49152:RVg5tQ7aoFsGabuKxN5GmoZgZh8Jjf1SXAEaYD:fg56ddKPo2
MD5:	A360B0402DD16AE837F59D09E1BF3B3C
SHA1:	F62C60788659D8EAD3AAB08A752C02F270CF8CCD
SHA-256:	490AD4D568CF15F2B6BAFE80BEC8857CFD0680DD7FB65F352D6CC9DF9DCF5342
SHA-512:	2FA747F6AE259AF35521C0DAAD99059C3C0A726064C030579B3736C017A64C11CA015AACA2B5BBB6887341859833831D71DDB54A402099E7FA3B8EB24A6BC56F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 81%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L.H..2.[.........."..........&......t_............@...........................M.....[.....@...@.......@......................p..\|....@...O......................Ll..................................0'..@...............`............................text...O............\|.............. ..`.rdata..B............2..............@..@.data...T........b..................@....rsrc....O...@...P...b..............@..@.reloc..t...........................@..BeSkkNGPG.y...@...z...X..................PTcLNQBR^...............................uhxZiqpZ.w...p...x......................bMgQsjaV................................GBMbimfi................................DgfAMsww.n.......p......................rSvCgsmi................................YskjstAT

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	235
Entropy (8bit):	5.107306146099542
Encrypted:	false
SSDEEP:	6:zx3M1tlAX8bSWR30qysGMQbSVRRZBXVRbJ0fFPRAgRYan:zK1XnV30ZsGMIG9BFRbQ5AUYan
MD5:	67DDD8252A246E7B14649B0063E351C0
SHA1:	AAE1C6839D1CC4A626D0FB2D4773823AD209FA17
SHA-256:	24C8283BA3F7FCA2E4CEF6F141263DD1E8A36E5A5CD96A97BFE83525D7663116
SHA-512:	326A5E0A440F60D4808C91499F1F3616C496B67DC053B4A2A40B0FE09002074AE5365018781F8746E98E7E3CFCD35F1310D17FB7C2138A8157318E6791987025
Malicious:	false
Preview:	Microsoft (R) Build Engine Version 2.0.50727.8922..[Microsoft .NET Framework, Version 2.0.50727.8922]..Copyright (C) Microsoft Corporation 2005. All rights reserved.....MSBUILD : error MSB1009: Project file does not exist...Switch: 0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.837703338237122
TrID:	Win32 Executable (generic) a (10002005/4) 96.49% DirectShow filter (201580/2) 1.94% Windows ActiveX control (116523/4) 1.12% Win32 EXE PECompact compressed (generic) (41571/9) 0.40% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
File size:	4967948
MD5:	d2c96c075741ccd8bed558e39838a59d
SHA1:	09667b1bef10f69697d997a26d9d963dfe4bdeb3
SHA256:	d2a573edc893e24fbf245c4f8f918ec3b4f04fab928f073a24da3cb741d18388
SHA512:	cd882b512f98c72793b46a160feab5a7efa432a180a29f05fceabd6677d7791e9f64fa43246acd774a37439845203d0113ec1737a8e8118c9ed1ee35fb40d323
SSDEEP:	49152:RVg5tQ7aoFsGabuKxN5GmoZgZh8Jjf1SXAEaY7:fg56ddKPo2
TLSH:	5636051273F90556F2F36B31ADB191555F3ABDA99AF2D62E3240024E0976A40FE31B33
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	3f894c353f383a38

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5BAE3218 [Fri Sep 28 13:52:24 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F11D5288ACFh
jmp 00007F11D527BAE4h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F11D527BC6Ah
cmp edi, eax
jc 00007F11D527BFCEh
bt dword ptr [004C0158h], 01h
jnc 00007F11D527BC69h
rep movsb
jmp 00007F11D527BF7Ch
cmp ecx, 00000080h
jc 00007F11D527BE34h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F11D527BC70h
bt dword ptr [004BA370h], 01h
jc 00007F11D527C140h
bt dword ptr [004C0158h], 00000000h
jnc 00007F11D527BE0Dh
test edi, 00000003h
jne 00007F11D527BE1Eh
test esi, 00000003h
jne 00007F11D527BDFDh
bt edi, 02h
jnc 00007F11D527BC6Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F11D527BC73h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F11D527BCC5h
bt esi, 03h
jnc 00007F11D527BD18h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x54f80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x119000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x54f80	0x55000	False	0.9236299402573529	data	7.805489545240979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x119000	0xa474	0xa600	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
eSkkNGPG	0x124000	0x79ad	0x7a00	False	0.35098616803278687	data	4.535518130136907
PTcLNQBR	0x12c000	0xaf5e	0xb000	False	0.43363813920454547	data	5.356692905431131
uhxZiqpZ	0x137000	0x778b	0x7800	False	0.3194986979166667	data	4.3334565362895985
bMgQsjaV	0x13f000	0x3fc8f	0x3fe00	False	0.24984711350293543	data	4.05145736763233
GBMbimfi	0x17f000	0xa719	0xa800	False	0.4670293898809524	data	5.242631553298864
DgfAMsww	0x18a000	0x16e17	0x17000	False	0.29977284307065216	data	4.933275518369312
rSvCgsmi	0x1a1000	0xec4	0x1000	False	0.44287109375	data	5.224668348563421
YskjstAT	0x1a2000	0xc35e	0xc400	False	0.4137436224489796	data	4.976696158252635
LoVCKuYF	0x1af000	0x13567	0x13600	False	0.3956023185483871	data	4.838724782349081
WVocwQqb	0x1c3000	0x2da88	0x2dc00	False	0.26286074112021857	data	4.978337116946978
oSCGvaQZ	0x1f1000	0x1a95	0x1c00	False	0.22140066964285715	data	2.893264792435353
yZjSVOZX	0x1f3000	0xeaa	0x1000	False	0.4404296875	data	5.471251398155905
QXbsjhZl	0x1f4000	0x56ab	0x5800	False	0.3450372869318182	data	4.563138313410933
yyMCijkk	0x1fa000	0x240a	0x2600	False	0.3959703947368421	data	5.108896911843352
mpFeMMWO	0x1fd000	0x3983	0x3a00	False	0.20480872844827586	SysEx File -	4.340130743432657
lykrKTJc	0x201000	0x6364	0x6400	False	0.2933984375	data	4.674033826538105
uiehIGyj	0x208000	0x27a	0x400	False	0.310546875	data	2.456558757278845
zVFOZMAw	0x209000	0x601d5	0x60200	False	0.29784521293888166	data	5.856604686192216
YlpJAimU	0x26a000	0x5ab5	0x5c00	False	0.35597826086956524	data	5.271103031571286
JwzqdXdu	0x270000	0x14bf0	0x14c00	False	0.3460913968373494	data	4.477563975249695
UGiiFcPP	0x285000	0x7aa4	0x7c00	False	0.3504284274193548	data	4.508458694566567
WQbVwRsn	0x28d000	0x14b8e	0x14c00	False	0.16732163027108435	data	3.70717026919471
tPcESPxm	0x2a2000	0xadc5	0xae00	False	0.38873922413793105	data	4.905327698141381
aJkBpZiD	0x2ad000	0x6b65	0x6c00	False	0.3318504050925926	data	4.392601916452199
oVRlQlUl	0x2b4000	0x6fc2	0x7000	False	0.33461216517857145	data	4.387432855547406
kJDrTOOv	0x2bb000	0x83ee	0x8400	False	0.32359730113636365	data	4.337865742001504
dPNhZlJs	0x2c4000	0x5564	0x5600	False	0.32980559593023256	data	4.4462925278137835
tpgvdaSU	0x2ca000	0xaa2d	0xac00	False	0.395008175872093	data	5.184872625976529
stGTwKsk	0x2d5000	0x1a5	0x200	False	0.46484375	data	3.5685468265164313
NWtntEHY	0x2d6000	0x3b29	0x3c00	False	0.3858723958333333	data	4.867479033195617
SeCKBtus	0x2da000	0x3549	0x3600	False	0.5189525462962963	data	5.681334906237916
YLnRofwZ	0x2de000	0x1d076	0x1d200	False	0.33267670332618027	data	4.731011954937073
ITlNviCX	0x2fc000	0x1fd3	0x2000	False	0.414794921875	data	5.360679897144668
xXKSfIFI	0x2fe000	0xa5fb	0xa600	False	0.39780214608433734	data	5.050269524194634
rzHoctSy	0x309000	0x1010	0x1200	False	0.4262152777777778	data	5.038816754642175
tqGkaUrY	0x30b000	0x618f	0x6200	False	0.32067123724489793	DIY-Thermocam raw data (Lepton 2.x), scale 25973-29230, spot sensor temperature 4465277526996217788032159318016.000000, unit celsius, color scheme 0, calibration: offset 144115188075855872.000000, slope 17884532710627128377344.000000	4.335120538803027
XUULAqjj	0x312000	0x37ff	0x3800	False	0.4321986607142857	data	5.362762787611382
OJKanVIF	0x316000	0x21634	0x21800	False	0.30387855643656714	data	4.277314480562102
XOKAQdyM	0x338000	0x1864d	0x18800	False	0.3765345982142857	data	5.080509846456985
bvHwouBZ	0x351000	0xa2b0	0xa400	False	0.2437595274390244	data	4.199028080121188
emfUrPdE	0x35c000	0xe7e3	0xe800	False	0.40808526400862066	data	5.094889583938427
wDjKtsMK	0x36b000	0x35eaa	0x36000	False	0.19294795283564814	data	3.3645037945584124
mVRJZClE	0x3a1000	0xecf3	0xee00	False	0.40045627626050423	data	4.849352362005015
tOofDbnU	0x3b0000	0xa892	0xaa00	False	0.4192325367647059	data	4.961370398375378
jMZzwYXU	0x3bb000	0x4cf7	0x4e00	False	0.49368990384615385	data	5.31897065544915
nBeILfXx	0x3c0000	0x9372	0x9400	False	0.3332717483108108	data	4.3261187170092255
vXOIjvTV	0x3ca000	0x35cb	0x3600	False	0.6312210648148148	data	6.633589844178363
HdeHlMsv	0x3ce000	0x89bc	0x8a00	False	0.3580446105072464	data	4.550960204952043
INgZfirH	0x3d7000	0xe593	0xe600	False	0.32138247282608695	data	4.937237493219116
kDTxXhPW	0x3e6000	0x143	0x200	False	0.388671875	data	2.309414250359407
WGoHkNIX	0x3e7000	0xf27	0x1000	False	0.4541015625	data	5.223482856241876
KQZwnOJl	0x3e8000	0xd7fc	0xd800	False	0.46073857060185186	DIY-Thermocam raw data (Lepton 3.x), scale 11520-12544, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 147573952589676412928.000000, slope 9704463122297120914145280.000000	5.127740862936039
TIucAObT	0x3f6000	0x6cd5	0x6e00	False	0.4237926136363636	data	5.240262688404368
LbFXKCFw	0x3fd000	0xc78b	0xc800	False	0.37185546875	data	4.6714439388315085
zVPYqkoM	0x40a000	0xb156	0xb200	False	0.39786692415730335	data	5.027793035702181
FueMosXg	0x416000	0x4c2a	0x4e00	False	0.3350360576923077	data	4.519752982476082
iRDivbUE	0x41b000	0xc1e	0xe00	False	0.4263392857142857	data	5.114047767058862
qqDFgVrq	0x41c000	0x56ee	0x5800	False	0.21666370738636365	data	3.357912782144656
NoZwckKd	0x422000	0xb466	0xb600	False	0.35561899038461536	data	4.609491392908207
xegiIWpk	0x42e000	0x3b1	0x400	False	0.466796875	data	3.5123040032137434
lFLuySNA	0x42f000	0x9c9c	0x9e00	False	0.41836431962025317	data	4.809466543354873
yfUTtHPf	0x439000	0x7dc	0x800	False	0.39599609375	data	4.148816820068358
HFrIlBYb	0x43a000	0x11bd	0x1200	False	0.4587673611111111	data	5.275938366031744
NCFRXlWT	0x43c000	0x2038	0x2200	False	0.30652573529411764	data	3.70753335612539
DOngBUEn	0x43f000	0x921b4	0x92200	False	0.28899734014114625	data	5.578060697455509
XkEBteUo	0x4d2000	0x511e	0x5200	False	0.3346512957317073	data	4.507233992378509
JfnpBUQQ	0x4d8000	0x1677	0x1800	False	0.3590494791666667	data	3.8394132116328463

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc4590	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain
RT_ICON	0xc46b8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain
RT_ICON	0xc4d20	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain
RT_ICON	0xc5008	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	Great Britain
RT_ICON	0xc51f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain
RT_ICON	0xc5318	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain
RT_ICON	0xc61c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain
RT_ICON	0xc6a68	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	Great Britain
RT_ICON	0xc7130	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain
RT_ICON	0xc7698	0xabb6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain
RT_ICON	0xd2250	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain
RT_ICON	0xd47f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain
RT_ICON	0xd58a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	Great Britain
RT_ICON	0xd6228	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain
RT_STRING	0xd6690	0x594	data	English	Great Britain
RT_STRING	0xd6c24	0x68a	data	English	Great Britain
RT_STRING	0xd72b0	0x490	data	English	Great Britain
RT_STRING	0xd7740	0x5fc	data	English	Great Britain
RT_STRING	0xd7d3c	0x65c	data	English	Great Britain
RT_STRING	0xd8398	0x466	data	English	Great Britain
RT_STRING	0xd8800	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain
RT_RCDATA	0xd8958	0x400cb	data
RT_GROUP_ICON	0x118a24	0xbc	data	English	Great Britain
RT_GROUP_ICON	0x118ae0	0x14	data	English	Great Britain
RT_VERSION	0x118af4	0xdc	data	English	Great Britain
RT_MANIFEST	0x118bd0	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3192.169.69.264971118962025019 06/04/23-11:28:18.475887	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49711	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264971718962025019 06/04/23-11:28:50.523433	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49717	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264970718962025019 06/04/23-11:27:57.173727	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49707	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264971218962025019 06/04/23-11:28:23.420896	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49712	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264971318962025019 06/04/23-11:28:28.432846	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49713	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264971918962025019 06/04/23-11:29:00.977409	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49719	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264971818962025019 06/04/23-11:28:55.916794	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49718	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264970518962025019 06/04/23-11:27:45.907549	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49705	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264969918962025019 06/04/23-11:27:14.981963	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49699	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264970618962025019 06/04/23-11:27:50.915043	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49706	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264970118962025019 06/04/23-11:27:25.413836	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49701	1896	192.168.2.3	192.169.69.26
192.168.2.3192.169.69.264970018962025019 06/04/23-11:27:20.405611	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49700	1896	192.168.2.3	192.169.69.26

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 4, 2023 11:27:00.324069023 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.324297905 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.324374914 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.324446917 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.324493885 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.324533939 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.335150003 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.335196972 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.335339069 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.335508108 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.335681915 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.335861921 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.336209059 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.336437941 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.336488008 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.336636066 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.336671114 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.336865902 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.336981058 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.337177038 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.337305069 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.337481022 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.337692976 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.337846041 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.337924004 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.338171959 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.338228941 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.338363886 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.338484049 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.338557005 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.338663101 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.338768005 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.351888895 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.351933956 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.351989031 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.352036953 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.352076054 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.352104902 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.352109909 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.352188110 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.352188110 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.352353096 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.352416039 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.352447987 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.363018990 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.363064051 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.363219023 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.363254070 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.363403082 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.363518000 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.363564968 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.363723993 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.363903999 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.363944054 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.363975048 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.364007950 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.364041090 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.364073992 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.364099979 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.364104986 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.364187002 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.364187002 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:00.461503029 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.461559057 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:00.461791992 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:14.639772892 CEST	49699	1896	192.168.2.3	192.169.69.26
Jun 4, 2023 11:27:14.913640022 CEST	1896	49699	192.169.69.26	192.168.2.3
Jun 4, 2023 11:27:14.914050102 CEST	49699	1896	192.168.2.3	192.169.69.26
Jun 4, 2023 11:27:14.981962919 CEST	49699	1896	192.168.2.3	192.169.69.26
Jun 4, 2023 11:27:15.416867018 CEST	1896	49699	192.169.69.26	192.168.2.3
Jun 4, 2023 11:27:19.842092991 CEST	49700	1896	192.168.2.3	192.169.69.26
Jun 4, 2023 11:27:20.402514935 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:20.402683020 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:20.402740002 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:20.402806044 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:20.402849913 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:20.402873993 CEST	49693	443	192.168.2.3	23.0.174.88
Jun 4, 2023 11:27:20.405004978 CEST	1896	49700	192.169.69.26	192.168.2.3
Jun 4, 2023 11:27:20.405138016 CEST	49700	1896	192.168.2.3	192.169.69.26
Jun 4, 2023 11:27:20.405611038 CEST	49700	1896	192.168.2.3	192.169.69.26
Jun 4, 2023 11:27:20.413551092 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.413616896 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.413661957 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.413703918 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.413747072 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.413851976 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.413966894 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.414011955 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.414129019 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.414172888 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.414285898 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.414411068 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.414608955 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.414654016 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.414855957 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.414886951 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.414913893 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.415009022 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.415081024 CEST	443	49693	23.0.174.88	192.168.2.3
Jun 4, 2023 11:27:20.415213108 CEST	443	49693	23.0.174.88	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 4, 2023 11:27:14.502774954 CEST	52387	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:27:14.624871969 CEST	53	52387	8.8.8.8	192.168.2.3
Jun 4, 2023 11:27:19.818093061 CEST	56924	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:27:19.838557959 CEST	53	56924	8.8.8.8	192.168.2.3
Jun 4, 2023 11:27:24.938667059 CEST	60625	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:27:25.060234070 CEST	53	60625	8.8.8.8	192.168.2.3
Jun 4, 2023 11:27:45.224785089 CEST	49302	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:27:45.338428020 CEST	53	49302	8.8.8.8	192.168.2.3
Jun 4, 2023 11:27:50.444329977 CEST	53975	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:27:50.467924118 CEST	53	53975	8.8.8.8	192.168.2.3
Jun 4, 2023 11:27:55.807750940 CEST	51139	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:27:55.828227997 CEST	53	51139	8.8.8.8	192.168.2.3
Jun 4, 2023 11:28:17.666209936 CEST	52955	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:28:17.780860901 CEST	53	52955	8.8.8.8	192.168.2.3
Jun 4, 2023 11:28:22.939152956 CEST	60582	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:28:23.062289953 CEST	53	60582	8.8.8.8	192.168.2.3
Jun 4, 2023 11:28:27.976121902 CEST	57134	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:28:28.098058939 CEST	53	57134	8.8.8.8	192.168.2.3
Jun 4, 2023 11:28:49.655924082 CEST	62050	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:28:49.769670963 CEST	53	62050	8.8.8.8	192.168.2.3
Jun 4, 2023 11:28:55.252490044 CEST	56042	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:28:55.282026052 CEST	53	56042	8.8.8.8	192.168.2.3
Jun 4, 2023 11:29:00.458888054 CEST	59636	53	192.168.2.3	8.8.8.8
Jun 4, 2023 11:29:00.487466097 CEST	53	59636	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 4, 2023 11:27:14.502774954 CEST	192.168.2.3	8.8.8.8	0x32de	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:27:19.818093061 CEST	192.168.2.3	8.8.8.8	0xa211	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:27:24.938667059 CEST	192.168.2.3	8.8.8.8	0xcb5	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:27:45.224785089 CEST	192.168.2.3	8.8.8.8	0x72a6	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:27:50.444329977 CEST	192.168.2.3	8.8.8.8	0x722d	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:27:55.807750940 CEST	192.168.2.3	8.8.8.8	0xc7c8	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:28:17.666209936 CEST	192.168.2.3	8.8.8.8	0x325a	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:28:22.939152956 CEST	192.168.2.3	8.8.8.8	0x6307	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:28:27.976121902 CEST	192.168.2.3	8.8.8.8	0x5504	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:28:49.655924082 CEST	192.168.2.3	8.8.8.8	0xedcf	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:28:55.252490044 CEST	192.168.2.3	8.8.8.8	0x59b1	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:29:00.458888054 CEST	192.168.2.3	8.8.8.8	0x63f6	Standard query (0)	nickdns22.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 4, 2023 11:27:14.624871969 CEST	8.8.8.8	192.168.2.3	0x32de	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:27:19.838557959 CEST	8.8.8.8	192.168.2.3	0xa211	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:27:25.060234070 CEST	8.8.8.8	192.168.2.3	0xcb5	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:27:45.338428020 CEST	8.8.8.8	192.168.2.3	0x72a6	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:27:50.467924118 CEST	8.8.8.8	192.168.2.3	0x722d	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:27:55.828227997 CEST	8.8.8.8	192.168.2.3	0xc7c8	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:28:17.780860901 CEST	8.8.8.8	192.168.2.3	0x325a	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:28:23.062289953 CEST	8.8.8.8	192.168.2.3	0x6307	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:28:28.098058939 CEST	8.8.8.8	192.168.2.3	0x5504	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:28:49.769670963 CEST	8.8.8.8	192.168.2.3	0xedcf	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:28:55.282026052 CEST	8.8.8.8	192.168.2.3	0x59b1	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 11:29:00.487466097 CEST	8.8.8.8	192.168.2.3	0x63f6	No error (0)	nickdns22.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:27:01
Start date:	04/06/2023
Path:	C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Imagebase:	0x2d0000
File size:	4967948 bytes
MD5 hash:	D2C96C075741CCD8BED558E39838A59D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: MSBuild.exePID: 5980, Parent PID: 7044

General

Target ID:	1
Start time:	11:27:11
Start date:	04/06/2023
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Imagebase:	0x720000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.630789913.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.634649068.0000000005640000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate

Analysis Process: schtasks.exePID: 5916, Parent PID: 5980

General

Target ID:	2
Start time:	11:27:13
Start date:	04/06/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp
Imagebase:	0x3f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 3676, Parent PID: 5916

General

Target ID:	3
Start time:	11:27:13
Start date:	04/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MSBuild.exePID: 5744, Parent PID: 1080

General

Target ID:	4
Start time:	11:27:15
Start date:	04/06/2023
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Imagebase:	0xd50000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: conhost.exePID: 3100, Parent PID: 5744

General

Target ID:	5
Start time:	11:27:15
Start date:	04/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: znytpstdcrwsisx.exePID: 5292, Parent PID: 3452

General

Target ID:	6
Start time:	11:27:20
Start date:	04/06/2023
Path:	C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe"
Imagebase:	0xdf0000
File size:	4967954 bytes
MD5 hash:	A360B0402DD16AE837F59D09E1BF3B3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 81%, ReversingLabs
Reputation:	low

Analysis Process: MSBuild.exePID: 5944, Parent PID: 5292

General

Target ID:	7
Start time:	11:27:22
Start date:	04/06/2023
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Imagebase:	0xac0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Data Obfuscation

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Local\Temp\aut8DF8.tmp

C:\Users\user\AppData\Local\Temp\cbmfpeiu

C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Windows Analysis Report
Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre