Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:882701
MD5:462948d717e44bda852450260ec44d37
SHA1:dc2aab0e06f483ee853ebec53cdb126131c0c8d7
SHA256:1d28cee9d618d8f15b3875ea1ac44a8bf4d9c59171da3227ba3b973e0c9fdb1a
Tags:NETexeMSILNanoCorex64
Infos:

Detection

Nanocore, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5556 cmdline: C:\Users\user\Desktop\file.exe MD5: 462948D717E44BDA852450260EC44D37)
    • aspnet_compiler.exe (PID: 6456 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • dhcpmon.exe (PID: 6756 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore
NameDescriptionAttributionBlogpost URLsLink
zgRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    file.exeMALWARE_Win_zgRATDetects zgRATditekSHen
    • 0x40a73:$s1: file:///
    • 0x40981:$s2: {11111-22222-10009-11112}
    • 0x40a03:$s3: {11111-22222-50001-00000}
    • 0x3b9cf:$s4: get_Module
    • 0x380fb:$s5: Reverse
    • 0x37c27:$s6: BlockCopy
    • 0x38391:$s7: ReadByte
    • 0x40a85:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xe38:$x2: NanoCore.ClientPlugin
    • 0xe75:$x3: NanoCore.ClientPluginHost
    • 0xe5a:$i1: IClientApp
    • 0xe4e:$i2: IClientData
    • 0xe29:$i3: IClientNetwork
    • 0xec3:$i4: IClientAppHost
    • 0xe65:$i5: IClientDataHost
    • 0xeb0:$i6: IClientLoggingHost
    • 0xe8f:$i7: IClientNetworkHost
    • 0xea2:$i8: IClientUIHost
    • 0xed2:$i9: IClientNameObjectCollection
    • 0xef7:$i10: IClientReadOnlyNameObjectCollection
    • 0xe41:$s1: ClientPlugin
    • 0x177c:$s1: ClientPlugin
    • 0x1789:$s1: ClientPlugin
    • 0x11f9:$s6: get_ClientSettings
    • 0x1249:$s7: get_Connected
    00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xe75:$a1: NanoCore.ClientPluginHost
    • 0xe38:$a2: NanoCore.ClientPlugin
    • 0x120c:$b1: get_BuilderSettings
    • 0xec3:$b4: IClientAppHost
    • 0x127d:$b6: AddHostEntry
    • 0x12ec:$b7: LogClientException
    • 0x1261:$b8: PipeExists
    • 0xeb0:$b9: IClientLoggingHost
    00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 25 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.aspnet_compiler.exe.50b0000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    1.2.aspnet_compiler.exe.50b0000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    1.2.aspnet_compiler.exe.50b0000.5.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xe38:$x2: NanoCore.ClientPlugin
    • 0xe75:$x3: NanoCore.ClientPluginHost
    • 0xe5a:$i1: IClientApp
    • 0xe4e:$i2: IClientData
    • 0xe29:$i3: IClientNetwork
    • 0xec3:$i4: IClientAppHost
    • 0xe65:$i5: IClientDataHost
    • 0xeb0:$i6: IClientLoggingHost
    • 0xe8f:$i7: IClientNetworkHost
    • 0xea2:$i8: IClientUIHost
    • 0xed2:$i9: IClientNameObjectCollection
    • 0xef7:$i10: IClientReadOnlyNameObjectCollection
    • 0xe41:$s1: ClientPlugin
    • 0x177c:$s1: ClientPlugin
    • 0x1789:$s1: ClientPlugin
    • 0x11f9:$s6: get_ClientSettings
    • 0x1249:$s7: get_Connected
    1.2.aspnet_compiler.exe.50b0000.5.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xe75:$a1: NanoCore.ClientPluginHost
    • 0xe38:$a2: NanoCore.ClientPlugin
    • 0x120c:$b1: get_BuilderSettings
    • 0xec3:$b4: IClientAppHost
    • 0x127d:$b6: AddHostEntry
    • 0x12ec:$b7: LogClientException
    • 0x1261:$b8: PipeExists
    • 0xeb0:$b9: IClientLoggingHost
    1.2.aspnet_compiler.exe.384ff64.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    Click to see the 61 entries

    Sigma Signatures

    AV Detection

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6456, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6456, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Stealing of Sensitive Information

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6456, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6456, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Multi AV Scanner detection for submitted file
    Source: file.exeReversingLabs: Detection: 54%
    Source: file.exeVirustotal: Detection: 60%Perma Link
    Antivirus detection for URL or domain
    Source: 91.193.75.178Avira URL Cloud: Label: malware
    Source: ezemnia3.ddns.netAvira URL Cloud: Label: malware
    Multi AV Scanner detection for domain / URL
    Source: ezemnia3.ddns.netVirustotal: Detection: 6%Perma Link
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTR
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.354909310.0000021A9177F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.354771206.0000021A8FC10000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: NBNNhH873.pdb source: file.exe
    Source: Binary string: aspnet_compiler.pdb source: dhcpmon.exe, 00000002.00000000.379027026.0000000000B82000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: ezemnia3.ddns.net
    Source: Malware configuration extractorURLs: 91.193.75.178
    Uses dynamic DNS services
    Source: unknownDNS query: name: ezemnia3.ddns.net
    Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
    Source: Joe Sandbox ViewIP Address: 79.134.225.109 79.134.225.109
    Source: global trafficTCP traffic: 192.168.2.7:49701 -> 79.134.225.109:62335
    Source: global trafficTCP traffic: 192.168.2.7:49704 -> 91.193.75.178:62335
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: dhcpmon.exe, 00000002.00000002.380713121.00000000010E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
    Source: dhcpmon.exe, 00000002.00000002.380713121.00000000010E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ce
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: unknownDNS traffic detected: queries for: ezemnia3.ddns.net
    Source: aspnet_compiler.exe, 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTR

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: file.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.0.file.exe.21a8f880000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 0.2.file.exe.21a8f880000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.0.file.exe.21a8f880000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 0.2.file.exe.21a8f880000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E480
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E47B
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5BBD4
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_05DE0040
    Source: file.exeStatic PE information: No import functions for PE file found
    Source: file.exeBinary or memory string: OriginalFilename vs file.exe
    Source: file.exe, 00000000.00000002.354909310.0000021A9177F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
    Source: file.exe, 00000000.00000002.354771206.0000021A8FC10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
    Source: file.exe, 00000000.00000002.354396278.0000021A8FA8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
    Source: file.exe, 00000000.00000002.354205581.0000021A8F882000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNBNNhH873.exe4 vs file.exe
    Source: file.exeBinary or memory string: OriginalFilenameNBNNhH873.exe4 vs file.exe
    Source: file.exeReversingLabs: Detection: 54%
    Source: file.exeVirustotal: Detection: 60%
    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.logJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@14/2
    Source: file.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
    Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{954449b5-566c-46fe-92f0-8eb82a7f77b0}
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: file.exe, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
    Source: file.exe, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.354909310.0000021A9177F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.354771206.0000021A8FC10000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: NBNNhH873.pdb source: file.exe
    Source: Binary string: aspnet_compiler.pdb source: dhcpmon.exe, 00000002.00000000.379027026.0000000000B82000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr

    Data Obfuscation

    barindex
    .NET source code contains method to dynamically call methods (often used by packers)
    Source: file.exe, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFDC2A960C4 push ecx; ret
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFDC2A96177 push ecx; ret
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E0F0 push edx; retf 0004h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E471 push ebx; retf 0004h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5C078 push ds; iretd
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E349 push edx; retf 0004h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E36F push edx; retf 0004h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5ED89 push esi; retf 0004h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5EDB9 push esi; retf 0004h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C58A61 push ss; retf 0004h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C58A70 push ss; retf B404h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C59660 push ds; retf 0004h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C593D9 push ds; retf 0004h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5984B push cs; iretd
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C57A80 push cs; retf 0004h
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C57A71 push cs; retf 0004h
    Source: file.exeStatic PE information: 0xB76DF3A6 [Sat Jul 9 11:25:26 2067 UTC]
    Source: initial sampleStatic PE information: section name: .text entropy: 7.054014763171646
    Source: file.exe, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.csHigh entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'Hx4vQNcd31n6GJ95Wad'
    Source: file.exe, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'krBFRwabjV', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
    Source: file.exe, rTtVXgHRgBSsFavshV/fousyr1O5TImehMQsy.csHigh entropy of concatenated method names: 'BjCF97Wa5c', '.ctor', '.cctor', 'Ysni9rctKFx8qVItZhM', 'YgI30QcxVFhgKAD96hv', 'nHZlwWcckR7hjbYV03e', 'WBug2BxqYpRTp9wQd6u', 'bufahpxz5fikLNVk8HV', 'FLONpHcK02MrZ9D5BLA', 'SeG0nPc92dFm6Ah5LaP'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\file.exe TID: 6464Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5700Thread sleep time: -12912720851596678s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6844Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 9731
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: foregroundWindowGot 1082
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: aspnet_compiler.exe, 00000001.00000002.606057054.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 420000
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 422000
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 790008
    .NET source code references suspicious native API functions
    Source: file.exe, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.0000000002DAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager0U
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.00000000028CD000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.606910359.0000000002874000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.606910359.0000000002B43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.00000000028CD000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.606910359.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.606910359.0000000002B70000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`i
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information

    barindex
    Yara detected zgRAT
    Source: Yara matchFile source: file.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.file.exe.21a8f880000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21a8f880000.0.unpack, type: UNPACKEDPE
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected zgRAT
    Source: Yara matchFile source: file.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.file.exe.21a8f880000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21a8f880000.0.unpack, type: UNPACKEDPE
    Detected Nanocore Rat
    Source: file.exe, 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: aspnet_compiler.exe, 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API    		Path Interception312
    Process Injection    		2
    Masquerading    		11
    Input Capture    		1
    Security Software Discovery    		Remote Services11
    Input Capture    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools    		LSASS Memory2
    Process Discovery    		Remote Desktop Protocol11
    Archive Collected Data    		Exfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Remote Access Software    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer1
    Non-Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets12
    System Information Discovery    		SSHKeyloggingData Transfer Size Limits21
    Application Layer Protocol    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Hidden Files and Directories    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items2
    Obfuscated Files or Information    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
    Software Packing    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
    Timestomp    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe54%ReversingLabsWin64.Trojan.Cerbu
    file.exe61%VirustotalBrowse
    file.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    ezemnia3.ddns.net7%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://go.microsoft.c0%URL Reputationsafe
    91.193.75.178100%Avira URL Cloudmalware
    ezemnia3.ddns.net100%Avira URL Cloudmalware
    http://go.microsoft.ce0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    ezemnia3.ddns.net
    		79.134.225.109
    		truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    ezemnia3.ddns.nettrue
    • Avira URL Cloud: malware
    		unknown
    91.193.75.178true
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://go.microsoft.cdhcpmon.exe, 00000002.00000002.380713121.00000000010E3000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://go.microsoft.cedhcpmon.exe, 00000002.00000002.380713121.00000000010E3000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameaspnet_compiler.exe, 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmpfalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      79.134.225.109
      		ezemnia3.ddns.netSwitzerland
      		6775FINK-TELECOM-SERVICESCHtrue
      91.193.75.178
      		unknownSerbia
      		209623DAVID_CRAIGGGtrue

      General Information

      Joe Sandbox Version:37.1.0 Beryl
      Analysis ID:882701
      Start date and time:2023-06-06 17:14:01 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 10m 22s
      Hypervisor based Inspection enabled:false
      Report type:light
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample file name:file.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@5/5@14/2
      EGA Information:
      • Successful, ratio: 33.3%
      HDC Information:
      • Successful, ratio: 21.8% (good quality ratio 17.8%)
      • Quality average: 67%
      • Quality standard deviation: 39.3%
      HCA Information:
      • Successful, ratio: 71%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
      • TCP Packets have been reduced to 100
      • Execution Graph export aborted for target dhcpmon.exe, PID 6756 because it is empty
      • Execution Graph export aborted for target file.exe, PID 5556 because it is empty
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      TimeTypeDescription
      17:15:07API Interceptor967x Sleep call for process: aspnet_compiler.exe modified
      17:15:09AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):55400
      Entropy (8bit):6.093991957600089
      Encrypted:false
      SSDEEP:768:kF9E8FLLs2Zokf85dImTg6Iq88nqf7PpjU/VifNL45bO:kfE6EkfOdImT/9KU/Vot45bO
      MD5:17CC69238395DF61AAF483BCEF02E7C9
      SHA1:B164C5DC95EBCC9ECB305E43789B57E7895781DE
      SHA-256:A1661DB1B74B876A7E789FC6EBB4E34BEAFA2B48A08E13FD18927FBECC9D2AC4
      SHA-512:308CC2AB766D2233E5F5F16EF0751C525BA3017C8A4D5177E2FF1A23CD12BAD4F43DADF01139CA163951916145C2F9465A9FA50D50A365AB86942FE55B916087
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Reputation:moderate, very likely benign file
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0................. ........@.. ....................................`.................................t...O.......................h>..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(.....*.(....-..*.~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

      Download File
      Process:C:\Users\user\Desktop\file.exe
      File Type:CSV text
      Category:dropped
      Size (bytes):226
      Entropy (8bit):5.354940450065058
      Encrypted:false
      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
      MD5:B10E37251C5B495643F331DB2EEC3394
      SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
      SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
      SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
      Malicious:true
      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

      Download File
      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      File Type:ASCII text, with CRLF line terminators
      Category:modified
      Size (bytes):311
      Entropy (8bit):5.323131242172993
      Encrypted:false
      SSDEEP:6:Q3La/xwchA2DLIP12MUAvvr3tDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hhpDLI4M9tDLI4MWuPk21v
      MD5:8722E88F9E6ACB8D431A70E7039AEB75
      SHA1:28046D604A6500451BE3F539BAA6BA4BB68A70D0
      SHA-256:3C0F25EBE9FE43091DE5A65EE92748F2B531F29DD2743B0D4E01DCCFADC95B5E
      SHA-512:937092F2EDCABD47CD1896C5CFBAB8E7E443D1039650B3462DF0E301F6C53562A4B91FBF59A04957839DE5C121D061C08C6BD274E02DF2C8CC477F601C442C3B
      Malicious:false
      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      File Type:Non-ISO extended-ASCII text, with no line terminators
      Category:dropped
      Size (bytes):8
      Entropy (8bit):3.0
      Encrypted:false
      SSDEEP:3:SOn:Zn
      MD5:35C3B7D287B3D7DDA2548CB6799E9192
      SHA1:FDD242386FADD4FAC7A8D93C639A25E8A0F4F2ED
      SHA-256:0B2B3855EB67B8B74020AAEE373630892006E4D7F98E96607345909569FDCE97
      SHA-512:ECAAC20D2BD04022BC333DF69F64D5BD35C40AD27DB3FDD4B9A054A4B1EE225903F9B1F89C8A89AC8B56843ED3DAB6352658E3F18743F987D7DBF1AE77283156
      Malicious:true
      Preview:.I.?.f.H

      \Device\ConDrv

      Download File
      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):221
      Entropy (8bit):4.832091525010539
      Encrypted:false
      SSDEEP:6:zx3Me21f1LRJIQtUbw/VgRZBXVN+1GFJqozrCib:zKpj1JIdwqBFN+1Q3b
      MD5:57D5333A79B0C23C3389A5E316FAD23D
      SHA1:8D1047C6BF4929C993C504E2EF64D689C8F6BFC7
      SHA-256:83324659D6790503513C9B336FE9C6E368B4A8E88F11543D328ED871B86D5AD7
      SHA-512:FA15BD8DAABE061EC4629985E2500DA293817E32168EF91AB1F31CD2A322EC937236D86A58633862A7B40E7F15740C8A1F0E82EBB533334760E07CD84B6FF46A
      Malicious:false
      Preview:Microsoft (R) ASP.NET Compilation Tool version 4.7.3056.0..Utility to precompile an ASP.NET application..Copyright (C) Microsoft Corporation. All rights reserved.....Run 'aspnet_compiler -?' for a list of valid options...

      Static File Info

      General

      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.046283595928448
      TrID:
      • Win64 Executable GUI Net Framework (217006/5) 49.88%
      • Win64 Executable GUI (202006/5) 46.43%
      • Win64 Executable (generic) (12005/4) 2.76%
      • Generic Win/DOS Executable (2004/3) 0.46%
      • DOS Executable Generic (2002/1) 0.46%
      File name:file.exe
      File size:492032
      MD5:462948d717e44bda852450260ec44d37
      SHA1:dc2aab0e06f483ee853ebec53cdb126131c0c8d7
      SHA256:1d28cee9d618d8f15b3875ea1ac44a8bf4d9c59171da3227ba3b973e0c9fdb1a
      SHA512:33620c953b59d5bb149ef24eb73d4c972629faa01abe3ed6027f00b6d06611c12866f6334d6c8224422a5e64e3a8ae102debaa403d48dc4ce1519c3250ad8e21
      SSDEEP:12288:OKC8ZS2btvRz4Ber6bHfbUyMD0v+c1ouiLNISO:TZSiYbUyN/1opx
      TLSH:FAA49E8B3609E82DC1DC6777D6DB08145BA09E81B307E7067CC723A94D0B7BBAD49987
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....m...............0..z............... ....@...... ....................................`...@......@............... .....

      File Icon

      Icon Hash:90cececece8e8eb0

      Static PE Info

      General

      Entrypoint:0x400000
      Entrypoint Section:
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0xB76DF3A6 [Sat Jul 9 11:25:26 2067 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:

      Entrypoint Preview

      Instruction
      dec ebp
      pop edx
      nop
      add byte ptr [ebx], al
      add byte ptr [eax], al
      add byte ptr [eax+eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x5a8.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x799b10x1c.text
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x77a000x77a00False0.6748546891327064data7.054014763171646IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rsrc0x7a0000x5a80x600False0.4212239583333333data4.127241324318816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_VERSION0x7a0a00x31cdata
      RT_MANIFEST0x7a3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jun 6, 2023 17:15:08.041075945 CEST4970162335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:08.064122915 CEST623354970179.134.225.109192.168.2.7
      Jun 6, 2023 17:15:08.575122118 CEST4970162335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:08.598395109 CEST623354970179.134.225.109192.168.2.7
      Jun 6, 2023 17:15:09.106395960 CEST4970162335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:09.129582882 CEST623354970179.134.225.109192.168.2.7
      Jun 6, 2023 17:15:13.262106895 CEST4970262335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:13.285293102 CEST623354970279.134.225.109192.168.2.7
      Jun 6, 2023 17:15:13.794352055 CEST4970262335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:13.817455053 CEST623354970279.134.225.109192.168.2.7
      Jun 6, 2023 17:15:14.325635910 CEST4970262335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:14.348802090 CEST623354970279.134.225.109192.168.2.7
      Jun 6, 2023 17:15:18.471764088 CEST4970362335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:18.494910002 CEST623354970379.134.225.109192.168.2.7
      Jun 6, 2023 17:15:18.997859001 CEST4970362335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:19.020761967 CEST623354970379.134.225.109192.168.2.7
      Jun 6, 2023 17:15:19.529185057 CEST4970362335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:19.556165934 CEST623354970379.134.225.109192.168.2.7
      Jun 6, 2023 17:15:23.562443972 CEST4970462335192.168.2.791.193.75.178
      Jun 6, 2023 17:15:23.606931925 CEST623354970491.193.75.178192.168.2.7
      Jun 6, 2023 17:15:24.108072042 CEST4970462335192.168.2.791.193.75.178
      Jun 6, 2023 17:15:24.153078079 CEST623354970491.193.75.178192.168.2.7
      Jun 6, 2023 17:15:24.654901028 CEST4970462335192.168.2.791.193.75.178
      Jun 6, 2023 17:15:24.700830936 CEST623354970491.193.75.178192.168.2.7
      Jun 6, 2023 17:15:28.719141006 CEST4970562335192.168.2.791.193.75.178
      Jun 6, 2023 17:15:28.763087034 CEST623354970591.193.75.178192.168.2.7
      Jun 6, 2023 17:15:29.264481068 CEST4970562335192.168.2.791.193.75.178
      Jun 6, 2023 17:15:29.308525085 CEST623354970591.193.75.178192.168.2.7
      Jun 6, 2023 17:15:29.811388016 CEST4970562335192.168.2.791.193.75.178
      Jun 6, 2023 17:15:29.855462074 CEST623354970591.193.75.178192.168.2.7
      Jun 6, 2023 17:15:34.061952114 CEST4970662335192.168.2.791.193.75.178
      Jun 6, 2023 17:15:34.106059074 CEST623354970691.193.75.178192.168.2.7
      Jun 6, 2023 17:15:34.611581087 CEST4970662335192.168.2.791.193.75.178
      Jun 6, 2023 17:15:34.655601978 CEST623354970691.193.75.178192.168.2.7
      Jun 6, 2023 17:15:35.171221972 CEST4970662335192.168.2.791.193.75.178
      Jun 6, 2023 17:15:35.215231895 CEST623354970691.193.75.178192.168.2.7
      Jun 6, 2023 17:15:39.625550032 CEST4970762335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:42.640611887 CEST4970762335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:42.664053917 CEST623354970779.134.225.109192.168.2.7
      Jun 6, 2023 17:15:43.171874046 CEST4970762335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:43.195173979 CEST623354970779.134.225.109192.168.2.7
      Jun 6, 2023 17:15:49.271398067 CEST4970862335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:49.294245005 CEST623354970879.134.225.109192.168.2.7
      Jun 6, 2023 17:15:49.813050985 CEST4970862335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:49.835954905 CEST623354970879.134.225.109192.168.2.7
      Jun 6, 2023 17:15:50.344496012 CEST4970862335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:50.367347002 CEST623354970879.134.225.109192.168.2.7
      Jun 6, 2023 17:15:54.428234100 CEST4970962335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:54.451291084 CEST623354970979.134.225.109192.168.2.7
      Jun 6, 2023 17:15:54.954147100 CEST4970962335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:54.977171898 CEST623354970979.134.225.109192.168.2.7
      Jun 6, 2023 17:15:55.641733885 CEST4970962335192.168.2.779.134.225.109
      Jun 6, 2023 17:15:55.664686918 CEST623354970979.134.225.109192.168.2.7
      Jun 6, 2023 17:15:59.694163084 CEST4971062335192.168.2.791.193.75.178
      Jun 6, 2023 17:15:59.738123894 CEST623354971091.193.75.178192.168.2.7
      Jun 6, 2023 17:16:00.251595020 CEST4971062335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:00.295561075 CEST623354971091.193.75.178192.168.2.7
      Jun 6, 2023 17:16:00.798471928 CEST4971062335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:00.842293024 CEST623354971091.193.75.178192.168.2.7
      Jun 6, 2023 17:16:04.862592936 CEST4971162335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:04.907056093 CEST623354971191.193.75.178192.168.2.7
      Jun 6, 2023 17:16:05.408205032 CEST4971162335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:05.453219891 CEST623354971191.193.75.178192.168.2.7
      Jun 6, 2023 17:16:05.955111980 CEST4971162335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:05.999815941 CEST623354971191.193.75.178192.168.2.7
      Jun 6, 2023 17:16:10.003779888 CEST4971262335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:10.047799110 CEST623354971291.193.75.178192.168.2.7
      Jun 6, 2023 17:16:10.549226999 CEST4971262335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:10.593605042 CEST623354971291.193.75.178192.168.2.7
      Jun 6, 2023 17:16:11.096235991 CEST4971262335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:11.140382051 CEST623354971291.193.75.178192.168.2.7
      Jun 6, 2023 17:16:15.266731977 CEST4971362335192.168.2.779.134.225.109
      Jun 6, 2023 17:16:15.289588928 CEST623354971379.134.225.109192.168.2.7
      Jun 6, 2023 17:16:15.799732924 CEST4971362335192.168.2.779.134.225.109
      Jun 6, 2023 17:16:15.822609901 CEST623354971379.134.225.109192.168.2.7
      Jun 6, 2023 17:16:16.331099987 CEST4971362335192.168.2.779.134.225.109
      Jun 6, 2023 17:16:16.355072975 CEST623354971379.134.225.109192.168.2.7
      Jun 6, 2023 17:16:20.413760900 CEST4971462335192.168.2.779.134.225.109
      Jun 6, 2023 17:16:20.436634064 CEST623354971479.134.225.109192.168.2.7
      Jun 6, 2023 17:16:20.940757036 CEST4971462335192.168.2.779.134.225.109
      Jun 6, 2023 17:16:20.963783026 CEST623354971479.134.225.109192.168.2.7
      Jun 6, 2023 17:16:21.472040892 CEST4971462335192.168.2.779.134.225.109
      Jun 6, 2023 17:16:21.495032072 CEST623354971479.134.225.109192.168.2.7
      Jun 6, 2023 17:16:25.562000036 CEST4971562335192.168.2.779.134.225.109
      Jun 6, 2023 17:16:25.585058928 CEST623354971579.134.225.109192.168.2.7
      Jun 6, 2023 17:16:26.097568989 CEST4971562335192.168.2.779.134.225.109
      Jun 6, 2023 17:16:26.120632887 CEST623354971579.134.225.109192.168.2.7
      Jun 6, 2023 17:16:26.628866911 CEST4971562335192.168.2.779.134.225.109
      Jun 6, 2023 17:16:26.652060986 CEST623354971579.134.225.109192.168.2.7
      Jun 6, 2023 17:16:31.361818075 CEST4971662335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:31.406481981 CEST623354971691.193.75.178192.168.2.7
      Jun 6, 2023 17:16:31.910552979 CEST4971662335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:31.954881907 CEST623354971691.193.75.178192.168.2.7
      Jun 6, 2023 17:16:32.458163023 CEST4971662335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:32.505105972 CEST623354971691.193.75.178192.168.2.7
      Jun 6, 2023 17:16:36.522037029 CEST4971762335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:36.566148996 CEST623354971791.193.75.178192.168.2.7
      Jun 6, 2023 17:16:37.067183971 CEST4971762335192.168.2.791.193.75.178
      Jun 6, 2023 17:16:37.111156940 CEST623354971791.193.75.178192.168.2.7
      Jun 6, 2023 17:16:37.614214897 CEST4971762335192.168.2.791.193.75.178

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jun 6, 2023 17:15:07.998409986 CEST5050553192.168.2.78.8.8.8
      Jun 6, 2023 17:15:08.025670052 CEST53505058.8.8.8192.168.2.7
      Jun 6, 2023 17:15:13.234164000 CEST6117853192.168.2.78.8.8.8
      Jun 6, 2023 17:15:13.260972023 CEST53611788.8.8.8192.168.2.7
      Jun 6, 2023 17:15:18.433037996 CEST6392653192.168.2.78.8.8.8
      Jun 6, 2023 17:15:18.468348980 CEST53639268.8.8.8192.168.2.7
      Jun 6, 2023 17:15:39.592907906 CEST5333653192.168.2.78.8.8.8
      Jun 6, 2023 17:15:39.622659922 CEST53533368.8.8.8192.168.2.7
      Jun 6, 2023 17:15:47.244153023 CEST5100753192.168.2.78.8.8.8
      Jun 6, 2023 17:15:48.235038042 CEST5100753192.168.2.78.8.8.8
      Jun 6, 2023 17:15:49.251396894 CEST5100753192.168.2.78.8.8.8
      Jun 6, 2023 17:15:49.266007900 CEST53510078.8.8.8192.168.2.7
      Jun 6, 2023 17:15:54.400418997 CEST5051353192.168.2.78.8.8.8
      Jun 6, 2023 17:15:54.427000046 CEST53505138.8.8.8192.168.2.7
      Jun 6, 2023 17:16:15.239398956 CEST6076553192.168.2.78.8.8.8
      Jun 6, 2023 17:16:15.265321970 CEST53607658.8.8.8192.168.2.7
      Jun 6, 2023 17:16:20.392754078 CEST5828353192.168.2.78.8.8.8
      Jun 6, 2023 17:16:20.412233114 CEST53582838.8.8.8192.168.2.7
      Jun 6, 2023 17:16:25.534626961 CEST5002453192.168.2.78.8.8.8
      Jun 6, 2023 17:16:25.560704947 CEST53500248.8.8.8192.168.2.7
      Jun 6, 2023 17:16:47.245126009 CEST4951653192.168.2.78.8.8.8
      Jun 6, 2023 17:16:47.265167952 CEST53495168.8.8.8192.168.2.7
      Jun 6, 2023 17:16:52.649135113 CEST6267953192.168.2.78.8.8.8
      Jun 6, 2023 17:16:52.684768915 CEST53626798.8.8.8192.168.2.7
      Jun 6, 2023 17:16:57.794095039 CEST6139253192.168.2.78.8.8.8
      Jun 6, 2023 17:16:57.822252989 CEST53613928.8.8.8192.168.2.7

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Jun 6, 2023 17:15:07.998409986 CEST192.168.2.78.8.8.80x6942Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:13.234164000 CEST192.168.2.78.8.8.80xc87aStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:18.433037996 CEST192.168.2.78.8.8.80x96eStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:39.592907906 CEST192.168.2.78.8.8.80xdc39Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:47.244153023 CEST192.168.2.78.8.8.80xecbaStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:48.235038042 CEST192.168.2.78.8.8.80xecbaStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:49.251396894 CEST192.168.2.78.8.8.80xecbaStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:54.400418997 CEST192.168.2.78.8.8.80xf336Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:15.239398956 CEST192.168.2.78.8.8.80x5e3fStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:20.392754078 CEST192.168.2.78.8.8.80x9e74Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:25.534626961 CEST192.168.2.78.8.8.80xb958Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:47.245126009 CEST192.168.2.78.8.8.80x236cStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:52.649135113 CEST192.168.2.78.8.8.80xa3d1Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:57.794095039 CEST192.168.2.78.8.8.80x6ecStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Jun 6, 2023 17:15:08.025670052 CEST8.8.8.8192.168.2.70x6942No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:13.260972023 CEST8.8.8.8192.168.2.70xc87aNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:18.468348980 CEST8.8.8.8192.168.2.70x96eNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:39.622659922 CEST8.8.8.8192.168.2.70xdc39No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:49.266007900 CEST8.8.8.8192.168.2.70xecbaNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:15:54.427000046 CEST8.8.8.8192.168.2.70xf336No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:15.265321970 CEST8.8.8.8192.168.2.70x5e3fNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:20.412233114 CEST8.8.8.8192.168.2.70x9e74No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:25.560704947 CEST8.8.8.8192.168.2.70xb958No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:47.265167952 CEST8.8.8.8192.168.2.70x236cNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:52.684768915 CEST8.8.8.8192.168.2.70xa3d1No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
      Jun 6, 2023 17:16:57.822252989 CEST8.8.8.8192.168.2.70x6ecNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:17:14:59
      Start date:06/06/2023
      Path:C:\Users\user\Desktop\file.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\file.exe
      Imagebase:0x21a8f880000
      File size:492032 bytes
      MD5 hash:462948D717E44BDA852450260EC44D37
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      Reputation:low

      General

      Target ID:1
      Start time:17:15:05
      Start date:06/06/2023
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Imagebase:0x4a0000
      File size:55400 bytes
      MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      Reputation:high

      General

      Target ID:2
      Start time:17:15:17
      Start date:06/06/2023
      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Imagebase:0xb80000
      File size:55400 bytes
      MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:.Net C# or VB.NET
      Antivirus matches:
      • Detection: 0%, ReversingLabs
      Reputation:high

      General

      Target ID:3
      Start time:17:15:18
      Start date:06/06/2023
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6edaf0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high

      Disassembly

      No disassembly