Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NA.exe

Overview

General Information

Sample Name:NA.exe
Analysis ID:881404
MD5:6c432a8b26bc0e068f23e88f69c0f565
SHA1:318fdcf5ba0a326bf6601e1f917f9aa16645d9ca
SHA256:0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331
Tags:exe
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • NA.exe (PID: 1544 cmdline: C:\Users\user\Desktop\NA.exe MD5: 6C432A8B26BC0E068F23E88F69C0F565)
    • CasPol.exe (PID: 5528 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • dhcpmon.exe (PID: 4584 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
  • 0xe38:$x2: NanoCore.ClientPlugin
  • 0xe75:$x3: NanoCore.ClientPluginHost
  • 0xe5a:$i1: IClientApp
  • 0xe4e:$i2: IClientData
  • 0xe29:$i3: IClientNetwork
  • 0xec3:$i4: IClientAppHost
  • 0xe65:$i5: IClientDataHost
  • 0xeb0:$i6: IClientLoggingHost
  • 0xe8f:$i7: IClientNetworkHost
  • 0xea2:$i8: IClientUIHost
  • 0xed2:$i9: IClientNameObjectCollection
  • 0xef7:$i10: IClientReadOnlyNameObjectCollection
  • 0xe41:$s1: ClientPlugin
  • 0x177c:$s1: ClientPlugin
  • 0x1789:$s1: ClientPlugin
  • 0x11f9:$s6: get_ClientSettings
  • 0x1249:$s7: get_Connected
00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
  • 0xe75:$a1: NanoCore.ClientPluginHost
  • 0xe38:$a2: NanoCore.ClientPlugin
  • 0x120c:$b1: get_BuilderSettings
  • 0xec3:$b4: IClientAppHost
  • 0x127d:$b6: AddHostEntry
  • 0x12ec:$b7: LogClientException
  • 0x1261:$b8: PipeExists
  • 0xeb0:$b9: IClientLoggingHost
00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Click to see the 29 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
1.2.CasPol.exe.5ce0000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
1.2.CasPol.exe.5ce0000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
1.2.CasPol.exe.5ce0000.5.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
  • 0xe38:$x2: NanoCore.ClientPlugin
  • 0xe75:$x3: NanoCore.ClientPluginHost
  • 0xe5a:$i1: IClientApp
  • 0xe4e:$i2: IClientData
  • 0xe29:$i3: IClientNetwork
  • 0xec3:$i4: IClientAppHost
  • 0xe65:$i5: IClientDataHost
  • 0xeb0:$i6: IClientLoggingHost
  • 0xe8f:$i7: IClientNetworkHost
  • 0xea2:$i8: IClientUIHost
  • 0xed2:$i9: IClientNameObjectCollection
  • 0xef7:$i10: IClientReadOnlyNameObjectCollection
  • 0xe41:$s1: ClientPlugin
  • 0x177c:$s1: ClientPlugin
  • 0x1789:$s1: ClientPlugin
  • 0x11f9:$s6: get_ClientSettings
  • 0x1249:$s7: get_Connected
1.2.CasPol.exe.5ce0000.5.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
  • 0xe75:$a1: NanoCore.ClientPluginHost
  • 0xe38:$a2: NanoCore.ClientPlugin
  • 0x120c:$b1: get_BuilderSettings
  • 0xec3:$b4: IClientAppHost
  • 0x127d:$b6: AddHostEntry
  • 0x12ec:$b7: LogClientException
  • 0x1261:$b8: PipeExists
  • 0xeb0:$b9: IClientLoggingHost
1.2.CasPol.exe.5d70000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0xd9ad:$x1: NanoCore.ClientPluginHost
  • 0xd9da:$x2: IClientNetworkHost
Click to see the 57 entries

Sigma Signatures

AV Detection

barindex
Sigma detected: NanoCore
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 5528, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

barindex
Sigma detected: NanoCore
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 5528, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

barindex
Sigma detected: NanoCore
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 5528, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

barindex
Sigma detected: NanoCore
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 5528, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Found malware configuration
Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for submitted file
Source: NA.exeReversingLabs: Detection: 29%
Antivirus detection for URL or domain
Source: 91.193.75.178Avira URL Cloud: Label: malware
Source: ezemnia3.ddns.netAvira URL Cloud: Label: malware
Yara detected Nanocore RAT
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTR
Machine Learning detection for sample
Source: NA.exeJoe Sandbox ML: detected
Source: NA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: caspol.pdbdv source: CasPol.exe, 00000001.00000003.389904732.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.650649992.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000004.00000000.414315300.0000000000C32000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr
Source: Binary string: caspol.pdb source: CasPol.exe, 00000001.00000003.389904732.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.650649992.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000004.00000000.414315300.0000000000C32000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr
Source: Binary string: WINNERS.pdb source: NA.exe, 00000000.00000002.387087180.0000016100001000.00000004.00000800.00020000.00000000.sdmp, NA.exe, 00000000.00000002.388893091.0000016178BB0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: BHBhHuH.pdb source: NA.exe

Networking

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractorURLs: ezemnia3.ddns.net
Source: Malware configuration extractorURLs: 91.193.75.178
Uses dynamic DNS services
Source: unknownDNS query: name: ezemnia3.ddns.net
Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: Joe Sandbox ViewASN Name: VCG-ASNG VCG-ASNG
Source: global trafficTCP traffic: 192.168.2.5:49693 -> 102.90.46.28:62335
Source: global trafficTCP traffic: 192.168.2.5:49713 -> 91.193.75.178:62335
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: CasPol.exe, 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: unknownDNS traffic detected: queries for: ezemnia3.ddns.net
Source: CasPol.exe, 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud

barindex
Yara detected Nanocore RAT
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTR

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Users\user\Desktop\NA.exeCode function: 0_2_00007FF9A59508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04FFE480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04FFE471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04FFBBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06240040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_013E0958
Source: NA.exeStatic PE information: No import functions for PE file found
Source: NA.exe, 00000000.00000002.388691888.00000161788A0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBHBhHuH.exe0 vs NA.exe
Source: NA.exe, 00000000.00000002.387087180.0000016100001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWINNERS.dll0 vs NA.exe
Source: NA.exe, 00000000.00000002.388893091.0000016178BB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWINNERS.dll0 vs NA.exe
Source: NA.exe, 00000000.00000002.388726593.00000161789BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs NA.exe
Source: NA.exeBinary or memory string: OriginalFilenameBHBhHuH.exe0 vs NA.exe
Source: NA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NA.exeReversingLabs: Detection: 29%
Source: NA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NA.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\NA.exe C:\Users\user\Desktop\NA.exe
Source: C:\Users\user\Desktop\NA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
Source: C:\Users\user\Desktop\NA.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NA.exe.logJump to behavior
Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@6/2
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.0.dhcpmon.exe.c30000.0.unpack, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.dhcpmon.exe.c30000.0.unpack, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.1.dr, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.1.dr, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: NA.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\NA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{954449b5-566c-46fe-92f0-8eb82a7f77b0}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
Source: NA.exe, dg3ypDAonQcOidMs0w/WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
Source: NA.exe, dg3ypDAonQcOidMs0w/WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: NA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: NA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: NA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: caspol.pdbdv source: CasPol.exe, 00000001.00000003.389904732.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.650649992.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000004.00000000.414315300.0000000000C32000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr
Source: Binary string: caspol.pdb source: CasPol.exe, 00000001.00000003.389904732.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.650649992.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000004.00000000.414315300.0000000000C32000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr
Source: Binary string: WINNERS.pdb source: NA.exe, 00000000.00000002.387087180.0000016100001000.00000004.00000800.00020000.00000000.sdmp, NA.exe, 00000000.00000002.388893091.0000016178BB0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: BHBhHuH.pdb source: NA.exe

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: NA.exe, program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: NA.exe, dg3ypDAonQcOidMs0w/WP6RZJql8gZrNhVA9v.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: C:\Users\user\Desktop\NA.exeCode function: 0_2_00007FF9A595518F push dword ptr [ebp-16FFFFFFh]; ret
Source: NA.exeStatic PE information: 0xB53777FE [Wed May 5 18:54:54 2066 UTC]
Source: initial sampleStatic PE information: section name: .text entropy: 7.967009459127166
Source: NA.exe, dg3ypDAonQcOidMs0w/WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: '.cctor', 'co6c6Nm3PZwY0', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB', 'ubAof6RgCm', 'YpJoWsPi7X', 'BEVodWAYPB', 'gX8onkMSd7', 'PEXoCqmS4w'
Source: NA.exe, oRZtxCaSAYh6EEGEIZ/Idt5pgryuYoFVQiX6j.csHigh entropy of concatenated method names: 'fBNc6NmmIqQ1R', '.ctor', '.cctor', 'iNWIf2QpurvD6XMUt7', 'AZak8DBhxQL2VMNKLI', 'GMhD36hGpGqEJW2pxp', 'dgD7B6bvHp3vfThMay', 'T06nspdDH1qRC3iGuj', 'KKqDqEEle7bnmacEWX', 'EUf3IRcFoqdrtVdspF'
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NA.exe TID: 5552Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4360Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 576Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\NA.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: foregroundWindowGot 1194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\NA.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: CasPol.exe, 00000001.00000002.650649992.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\NA.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 420000
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 422000
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: B2F008
.NET source code references suspicious native API functions
Source: NA.exe, dg3ypDAonQcOidMs0w/WP6RZJql8gZrNhVA9v.csReference to suspicious API methods: ('oGjoaYPPLS', 'GetProcAddress@kernel32'), ('H1sorrpiaP', 'LoadLibrary@kernel32')
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\NA.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\NA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Source: CasPol.exe, 00000001.00000002.656888742.0000000005EDD000.00000004.00000010.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.651668667.000000000342B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.651668667.0000000003042000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: CasPol.exe, 00000001.00000002.651668667.0000000003022000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
Source: CasPol.exe, 00000001.00000002.651668667.00000000033B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerHaFp
Source: C:\Users\user\Desktop\NA.exeQueries volume information: C:\Users\user\Desktop\NA.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

barindex
Yara detected Nanocore RAT
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTR

Remote Access Functionality

barindex
Detected Nanocore Rat
Source: NA.exe, 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: NA.exe, 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTR

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Native API		Path Interception312
Process Injection		2
Masquerading		11
Input Capture		1
Security Software Discovery		Remote Services11
Input Capture		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop Protocol11
Archive Collected Data		Exfiltration Over Bluetooth1
Non-Standard Port		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Remote Access Software		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer1
Non-Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets12
System Information Discovery		SSHKeyloggingData Transfer Size Limits21
Application Layer Protocol		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Hidden Files and Directories		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job22
Software Packing		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
Timestomp		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NA.exe30%ReversingLabsByteCode-MSIL.Trojan.Heracles
NA.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
91.193.75.178100%Avira URL Cloudmalware
ezemnia3.ddns.net100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ezemnia3.ddns.net
102.90.46.28
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    ezemnia3.ddns.nettrue
    • Avira URL Cloud: malware
    		unknown
    91.193.75.178true
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmpfalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      91.193.75.178
      		unknownSerbia
      		209623DAVID_CRAIGGGtrue
      102.90.46.28
      		ezemnia3.ddns.netNigeria
      		29465VCG-ASNGtrue

      General Information

      Joe Sandbox Version:37.1.0 Beryl
      Analysis ID:881404
      Start date and time:2023-06-04 17:40:28 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 7m 57s
      Hypervisor based Inspection enabled:false
      Report type:light
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample file name:NA.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@5/5@6/2
      EGA Information:
      • Successful, ratio: 33.3%
      HDC Information:
      • Successful, ratio: 55.1% (good quality ratio 49.8%)
      • Quality average: 64.2%
      • Quality standard deviation: 32.1%
      HCA Information:
      • Successful, ratio: 90%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
      • Excluded IPs from analysis (whitelisted): 23.0.174.114, 23.0.174.96, 23.0.174.106, 23.0.174.107, 23.0.174.112, 23.0.174.97, 23.0.174.104, 23.0.174.91, 23.0.174.98
      • Excluded domains from analysis (whitelisted): www.bing.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net
      • Execution Graph export aborted for target NA.exe, PID 1544 because it is empty
      • Execution Graph export aborted for target dhcpmon.exe, PID 4584 because it is empty
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: NA.exe

      Simulations

      Behavior and APIs

      TimeTypeDescription
      17:41:28API Interceptor1054x Sleep call for process: CasPol.exe modified
      17:41:30AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):107624
      Entropy (8bit):5.882571203162287
      Encrypted:false
      SSDEEP:1536:oSF7vA1hRqHixxMjlI34j8p2mdc/6A4vW/CU1RPMRVQJE:/A1hDPMip2mdcyA4vW/JRPMLQW
      MD5:F866FC1C2E928779C7119353C3091F0C
      SHA1:70D06064E2F12CFB10A82BC985F86F58EA7A4138
      SHA-256:67F3FC243C58EEAE55BDDC22CE025B7841A89ACA2E201B999D8C0E4F07D177B8
      SHA-512:B28B10801580726B85AB5F796EA26835648A3ACFBE1FBA95DFC687439B43FF9548BD3AB9EFC85D88FC071D232718BCFFAC614CC5BFF159173996A3D2AB22154D
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Reputation:moderate, very likely benign file
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rX.Z..............0..X...........v... ........@.. ..............................Q.....`.................................<v..O.......$............f..h>...........u............................................... ............... ..H............text....V... ...X.................. ..`.rsrc...$............Z..............@..@.reloc...............d..............@..B................pv......H.......,...`...............xE...t......................................2~P....o....*.r...p(....*VrK..p(....s.....P...*..0.._.......~....:O....>.....%.rm..p...A...s......su....%.r...p...A...s....rm..p.su....%.r...p...B...s......su....%.r...p...B...s....r...p.su....%.r...p...C...s......su....%.r...p...C...s....r...p.su....%.r...p...D...s......su....%.r...p...D...s....r...p.su....%.r...p...E...s......su....%..r...p...E...s....r...p.su....%..r...p...F...s......su....%..r...p...F

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NA.exe.log

      Download File
      Process:C:\Users\user\Desktop\NA.exe
      File Type:CSV text
      Category:dropped
      Size (bytes):226
      Entropy (8bit):5.354940450065058
      Encrypted:false
      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
      MD5:B10E37251C5B495643F331DB2EEC3394
      SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
      SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
      SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
      Malicious:true
      Reputation:high, very likely benign file
      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

      Download File
      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      File Type:ASCII text, with CRLF line terminators
      Category:modified
      Size (bytes):42
      Entropy (8bit):4.0050635535766075
      Encrypted:false
      SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
      MD5:84CFDB4B995B1DBF543B26B86C863ADC
      SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
      SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
      SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
      Malicious:false
      Reputation:high, very likely benign file
      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      File Type:Non-ISO extended-ASCII text, with no line terminators, with escape sequences
      Category:dropped
      Size (bytes):8
      Entropy (8bit):3.0
      Encrypted:false
      SSDEEP:3:yt:yt
      MD5:E4A6D16D7F7D253314AEF24A15FBC92A
      SHA1:8D34EBADE8A34A2C7393ED889B645FFFEC163048
      SHA-256:8ECF592FB6C70B0DF6F5C97FDDF4560224D9FF38F30443B50EFED9A99DBA0A31
      SHA-512:E4497B0F82D2E8D07308047409DA25CF15B838DB974E1E19BB15D29DCDC12631F16A9F2F0B35959F87874BF50433FAFC8C1434969736EFF833D27F5D82CB6332
      Malicious:true
      Preview:....]e.H

      \Device\ConDrv

      Download File
      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):486
      Entropy (8bit):5.064987733454706
      Encrypted:false
      SSDEEP:12:z30U30b4BFNY8fNFquci7S1pE+DPOCN6+QOH5JyY:z3F3g4DO4UE+Tz5JB
      MD5:30394F72BB157162F35A2DEB1F48BD1A
      SHA1:66AD7D748F42C64E0698606A8F019D165DE657E8
      SHA-256:133FABF0CD558FA3E5144E9EF35654FA0422F8424C6D5D82828B8D10EC9BA295
      SHA-512:A93E12D6C9927403FE0E20B8A698B24007EBCCD53A29AD65428366C6CE3CED05E5F3AEFF1D46C7D9F174EAEAE5059F0B5D12353B6022965CDC5D187E45FA72E9
      Malicious:false
      Preview:Microsoft .NET Framework CasPol 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....WARNING: The .NET Framework does not apply CAS policy by default. Any settings shown or modified by CasPol will only ..affect applications that opt into using CAS policy. ....Please see http://go.microsoft.com/fwlink/?LinkId=131738 for more information. ......ERROR: Not enough arguments....For usage information, use 'caspol -?'..

      Static File Info

      General

      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.963481307928194
      TrID:
      • Win64 Executable GUI Net Framework (217006/5) 49.88%
      • Win64 Executable GUI (202006/5) 46.43%
      • Win64 Executable (generic) (12005/4) 2.76%
      • Generic Win/DOS Executable (2004/3) 0.46%
      • DOS Executable Generic (2002/1) 0.46%
      File name:NA.exe
      File size:775680
      MD5:6c432a8b26bc0e068f23e88f69c0f565
      SHA1:318fdcf5ba0a326bf6601e1f917f9aa16645d9ca
      SHA256:0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331
      SHA512:1a57c2c54e51a4e9bc1abf375a10e87236c5136cbbca0920597ecbf7f0d3bae674cced351ee5794028f7e7e25982bcb3409fc36d6ccf41b9497bbdec03a19c7e
      SSDEEP:12288:faNp9CFWv60PaT5zePZMjFkA1pniuSwgsAaQWKYt9VRd4li8i+3UQXGLPSPr3FbV:SNp9CFEa4RMjFhThyaJj+N66z3F8+sW
      TLSH:51F42226BB93C772D90595B050B3051183F5D38A7637CA5B2D98A2DB0E673A0FF4AB4C
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....w7...............0.................. ....@...... ....................... ............`...@......@............... .....

      File Icon

      Icon Hash:90cececece8e8eb0

      Static PE Info

      General

      Entrypoint:0x400000
      Entrypoint Section:
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0xB53777FE [Wed May 5 18:54:54 2066 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:

      Entrypoint Preview

      Instruction
      dec ebp
      pop edx
      nop
      add byte ptr [ebx], al
      add byte ptr [eax], al
      add byte ptr [eax+eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x598.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0xbebd40x1c.text
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000xbcc200xbce00False0.9689594018861681data7.967009459127166IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rsrc0xc00000x5980x600False0.412109375data4.066824834379209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_VERSION0xc00a00x30cdata
      RT_MANIFEST0xc03ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jun 4, 2023 17:41:29.846982956 CEST4969362335192.168.2.5102.90.46.28
      Jun 4, 2023 17:41:32.860028028 CEST4969362335192.168.2.5102.90.46.28
      Jun 4, 2023 17:41:38.861643076 CEST4969362335192.168.2.5102.90.46.28
      Jun 4, 2023 17:41:49.086462975 CEST4971162335192.168.2.5102.90.46.28
      Jun 4, 2023 17:41:52.096015930 CEST4971162335192.168.2.5102.90.46.28
      Jun 4, 2023 17:41:58.112176895 CEST4971162335192.168.2.5102.90.46.28
      Jun 4, 2023 17:42:07.524621010 CEST4971262335192.168.2.5102.90.46.28
      Jun 4, 2023 17:42:10.535191059 CEST4971262335192.168.2.5102.90.46.28
      Jun 4, 2023 17:42:16.535546064 CEST4971262335192.168.2.5102.90.46.28
      Jun 4, 2023 17:42:26.428272009 CEST4971362335192.168.2.591.193.75.178
      Jun 4, 2023 17:42:26.473097086 CEST623354971391.193.75.178192.168.2.5
      Jun 4, 2023 17:42:26.974164963 CEST4971362335192.168.2.591.193.75.178
      Jun 4, 2023 17:42:27.020880938 CEST623354971391.193.75.178192.168.2.5
      Jun 4, 2023 17:42:27.536618948 CEST4971362335192.168.2.591.193.75.178
      Jun 4, 2023 17:42:27.581342936 CEST623354971391.193.75.178192.168.2.5
      Jun 4, 2023 17:42:31.600708008 CEST4971462335192.168.2.591.193.75.178
      Jun 4, 2023 17:42:31.645589113 CEST623354971491.193.75.178192.168.2.5
      Jun 4, 2023 17:42:32.146420002 CEST4971462335192.168.2.591.193.75.178
      Jun 4, 2023 17:42:32.191236973 CEST623354971491.193.75.178192.168.2.5
      Jun 4, 2023 17:42:32.693353891 CEST4971462335192.168.2.591.193.75.178
      Jun 4, 2023 17:42:32.738332987 CEST623354971491.193.75.178192.168.2.5
      Jun 4, 2023 17:42:36.741517067 CEST4971562335192.168.2.591.193.75.178
      Jun 4, 2023 17:42:36.786386013 CEST623354971591.193.75.178192.168.2.5
      Jun 4, 2023 17:42:37.287365913 CEST4971562335192.168.2.591.193.75.178
      Jun 4, 2023 17:42:37.332129002 CEST623354971591.193.75.178192.168.2.5
      Jun 4, 2023 17:42:37.849920034 CEST4971562335192.168.2.591.193.75.178
      Jun 4, 2023 17:42:37.897248030 CEST623354971591.193.75.178192.168.2.5
      Jun 4, 2023 17:42:41.953573942 CEST4971662335192.168.2.5102.90.46.28
      Jun 4, 2023 17:42:44.962184906 CEST4971662335192.168.2.5102.90.46.28
      Jun 4, 2023 17:42:50.973063946 CEST4971662335192.168.2.5102.90.46.28
      Jun 4, 2023 17:43:01.282201052 CEST4971862335192.168.2.5102.90.46.28
      Jun 4, 2023 17:43:04.286673069 CEST4971862335192.168.2.5102.90.46.28
      Jun 4, 2023 17:43:10.287220001 CEST4971862335192.168.2.5102.90.46.28
      Jun 4, 2023 17:43:19.976326942 CEST4971962335192.168.2.5102.90.46.28
      Jun 4, 2023 17:43:22.975980997 CEST4971962335192.168.2.5102.90.46.28
      Jun 4, 2023 17:43:28.980907917 CEST4971962335192.168.2.5102.90.46.28

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jun 4, 2023 17:41:29.799606085 CEST5029553192.168.2.58.8.8.8
      Jun 4, 2023 17:41:29.835984945 CEST53502958.8.8.8192.168.2.5
      Jun 4, 2023 17:41:49.048280001 CEST4917753192.168.2.58.8.8.8
      Jun 4, 2023 17:41:49.084583044 CEST53491778.8.8.8192.168.2.5
      Jun 4, 2023 17:42:07.508359909 CEST4972453192.168.2.58.8.8.8
      Jun 4, 2023 17:42:07.523355007 CEST53497248.8.8.8192.168.2.5
      Jun 4, 2023 17:42:41.917318106 CEST6145253192.168.2.58.8.8.8
      Jun 4, 2023 17:42:41.952620983 CEST53614528.8.8.8192.168.2.5
      Jun 4, 2023 17:43:01.252048016 CEST5148453192.168.2.58.8.8.8
      Jun 4, 2023 17:43:01.280893087 CEST53514848.8.8.8192.168.2.5
      Jun 4, 2023 17:43:19.947905064 CEST6344653192.168.2.58.8.8.8
      Jun 4, 2023 17:43:19.974457026 CEST53634468.8.8.8192.168.2.5

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Jun 4, 2023 17:41:29.799606085 CEST192.168.2.58.8.8.80x6fb5Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 4, 2023 17:41:49.048280001 CEST192.168.2.58.8.8.80x3885Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 4, 2023 17:42:07.508359909 CEST192.168.2.58.8.8.80xe889Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 4, 2023 17:42:41.917318106 CEST192.168.2.58.8.8.80xe4a3Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 4, 2023 17:43:01.252048016 CEST192.168.2.58.8.8.80x9bdaStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 4, 2023 17:43:19.947905064 CEST192.168.2.58.8.8.80x4553Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Jun 4, 2023 17:41:29.835984945 CEST8.8.8.8192.168.2.50x6fb5No error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false
      Jun 4, 2023 17:41:49.084583044 CEST8.8.8.8192.168.2.50x3885No error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false
      Jun 4, 2023 17:42:07.523355007 CEST8.8.8.8192.168.2.50xe889No error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false
      Jun 4, 2023 17:42:41.952620983 CEST8.8.8.8192.168.2.50xe4a3No error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false
      Jun 4, 2023 17:43:01.280893087 CEST8.8.8.8192.168.2.50x9bdaNo error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false
      Jun 4, 2023 17:43:19.974457026 CEST8.8.8.8192.168.2.50x4553No error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:17:41:24
      Start date:04/06/2023
      Path:C:\Users\user\Desktop\NA.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\NA.exe
      Imagebase:0x161787e0000
      File size:775680 bytes
      MD5 hash:6C432A8B26BC0E068F23E88F69C0F565
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      Reputation:low

      General

      Target ID:1
      Start time:17:41:26
      Start date:04/06/2023
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
      Imagebase:0x7f0000
      File size:107624 bytes
      MD5 hash:F866FC1C2E928779C7119353C3091F0C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      Reputation:moderate

      General

      Target ID:4
      Start time:17:41:39
      Start date:04/06/2023
      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Imagebase:0xc30000
      File size:107624 bytes
      MD5 hash:F866FC1C2E928779C7119353C3091F0C
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:.Net C# or VB.NET
      Antivirus matches:
      • Detection: 0%, ReversingLabs
      Reputation:moderate

      General

      Target ID:5
      Start time:17:41:39
      Start date:04/06/2023
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7fcd70000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high

      Disassembly

      No disassembly