NanoCore | 3c0512176cbc

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3.exe

Sample File

Binary

Also Known As	C:\Program Files\AGP Service\agpsvc.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	181.50 KB
MD5	19230db458718df6fa70d9817925ac7a
SHA1	04eba42e98b996b5b9e1783e37de8b45c42d56f4
SHA256	3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3
SSDeep	3072:GzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HISp9Jzf+hpWavwPJLehxm:GLV6Bta6dtJmakIM5PJr+hz2JGm
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

PE Information

Image Base	0x00400000
Entry Point	0x0041E792
Size Of Code	0x0001C800
Size Of Initialized Data	0x00010C00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2015-02-22 01:49 (UTC+1)

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x0001C798	0x0001C800	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.6
.reloc	0x00420000	0x0000000C	0x00000200	0x0001CA00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1
.rsrc	0x00422000	0x00010860	0x00010A00	0x0001CC00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	8.0

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x0001E760	0x0001C960	0x00000000

Memory Dumps (33)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3.exe	1	0x00400000	0x00433FFF	Relevant Image	64-bit	-	... Actions Go to Process Go to YARA Match Download Dump
3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3.exe	1	0x00400000	0x00433FFF	Final Dump	64-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x1AE60000	0x1AE64FFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	1	0x1AE70000	0x1AE83FFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	1	0x02070000	0x02072FFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	1	0x1BD3B000	0x1BD3FFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	1	0x1BBC6000	0x1BBCFFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	1	0x1B8EE000	0x1B8EFFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	1	0x1B7EC000	0x1B7EFFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	1	0x1AD5C000	0x1AD5FFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0013D000	0x0014FFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3.exe	1	0x00400000	0x00433FFF	First Network Behavior	64-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x00560000	0x0056CFFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
agpsvc.exe	2	0x00400000	0x00433FFF	Relevant Image	64-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x022B0000	0x022B4FFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02320000	0x02333FFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02150000	0x02152FFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1AF60000	0x1AF6CFFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1AF70000	0x1AF7CFFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1B8E0000	0x1B8E5FFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1B8F0000	0x1B8FEFFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1B900000	0x1B909FFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1B910000	0x1B938FFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00580000	0x0058EFFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1BEB0000	0x1BF39FFF	Reflectively Loaded .NET Assembly	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1C36B000	0x1C36FFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1BE86000	0x1BE8FFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1BBAE000	0x1BBAFFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1BAAC000	0x1BAAFFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x1AE5C000	0x1AE5FFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	2	0x0013D000	0x0014FFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
agpsvc.exe	2	0x00400000	0x00433FFF	First Network Behavior	64-bit	-	... Actions Go to Process Go to YARA Match Download Dump
agpsvc.exe	2	0x00400000	0x00433FFF	Final Dump	64-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
NanoCoreRAT	NanoCore RAT	Backdoor	5/5	... Actions Show Ruleset Show Match

C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\storage.dat

Dropped File

Stream

MIME Type	application/octet-stream
File Size	589.02 KB
MD5	3da657e5eb120800e611dff879883098
SHA1	5f0a11664cff201ae48aad6f445eaa7986de3144
SHA256	ead8faa893fb5fe91b98142b59ff54f6478e50010c41d2f7452d64480361886c
SSDeep	12288:YeyJkKF5iz23Thg8WZk+tXjULy3xBep7QjbLy:RKt3Ta1XwLy3Hep7QXLy
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\catalog.dat

Dropped File

Stream

MIME Type	application/octet-stream
File Size	160 Bytes
MD5	e9e233445ccb4614996a388e62e17a08
SHA1	7f0c3cb2ac74db53b8ce816703b71601cdaed817
SHA256	84f32984d89bc05205983407034575a25994ad460f422a94799ffb01e12cbb73
SSDeep	3:XrURGizD7cnRNGbgCFKRNrNL61CYNT1Xj7XJcsbGENfK90Aj37:X4LDAnybgCFs61bbKCDNfm0ar
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\Logs\RDhJ0CNFevzX\KB_26088703.dat

Dropped File

Stream

MIME Type	application/octet-stream
File Size	75 Bytes
MD5	e549a671f8e4e65646de64baa6379fb2
SHA1	e20a419f293a5f3280c820e90746068e60dd7cb4
SHA256	8ae448cd711617542a7fad2bf2762239b0c12a13d568722ac16780c8db6f2a88
SSDeep	3:TIHkw+AdsK4B1E4gQOFt8abAs1P:EHkw14nI/bb1P
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\settings.bak

Dropped File

Stream

Also Known As	C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\settings.bin (Accessed File)
MIME Type	application/octet-stream
File Size	40 Bytes
MD5	4e5e92e2369688041cc82ef9650eded2
SHA1	15e44f2f3194ee232b44e9684163b6f66472c862
SHA256	f8098a6290118f2944b9e7c842bd014377d45844379f863b00d54515a8a64b48
SSDeep	3:9bzY6oRDT6P2bfVn1:RzWDT621
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\settings.bak

Dropped File

Stream

Also Known As	C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\settings.bin (Accessed File)
MIME Type	application/octet-stream
File Size	8 Bytes
MD5	cdbed468f133c3bafff2bb301c37800a
SHA1	01cd45c2244c66eb201a3bbb2b44b8db3753c910
SHA256	3c099e8a656f6d63978ecb6dd8d4c8eacdb689bb2f748314550dc78a05f30d95
SSDeep	3:2b:2b
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\run.dat

Dropped File

Stream

MIME Type	application/octet-stream
File Size	8 Bytes
MD5	ed2eb820ec148f91393b781791d3671a
SHA1	0141c5d43ce2c051489721ea89a30b58c326a5ec
SHA256	55f65c094c7b282d2a006f5cdf2401748b78c673346bba5b2c714209541a9732
SSDeep	3:rG:C
ImpHash	-

37af1cc5a7606c4cce476c2324b066c3a7f625eee010baf8347937ad13fd4081

Extracted File

Image

Parent File	b89b133a45aefbd237a8a386bc093ceb67d0116acef6c12e6e4ea3124f98d4cb
MIME Type	image/png
File Size	851 Bytes
MD5	c979c0d3d2f8cca15ea84bf23abe70a9
SHA1	1697075cc08b8f994e1b8dae013efecf49e5b363
SHA256	37af1cc5a7606c4cce476c2324b066c3a7f625eee010baf8347937ad13fd4081
SSDeep	24:JDDOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT:JDr
ImpHash	-

Remarks (1/1)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information