#nanocore #rat observations 12-4-2017 to 12-11-2017

1. #nanocore #rat observations of some item tagged on Hybrid Analysis
2.  
3. 12/11/2017
4. sha256 320413b6d549da963b0d551bbf91427f20b234390b91f5faf2497d29dd0ae8c3
5. https://www.reverse.it/sample/320413b6d549da963b0d551bbf91427f20b234390b91f5faf2497d29dd0ae8c3?environmentId=100
6.  
7. contains strings with "NanoCore" in it
8. Uses unusual port ( 185.162.124.221 on port 4110 )
9. process hierarchy
10. (exe ->
11. --> cmd.exe -> reg.exe
12. --> tmp.exe
13. --> svhost.exe -> schtasks.exe
14. --> cmd.exe -> timeout.exe, tasklist.exe, find.exe, winlogon.exe
15. )
16. same metadata
17. CompanyName : www.SamLab.ws
18. ProductName : SAM DeCoDeR Pack 2015 Best
19. 12/8/2017
20. sha256 5fa71c4a86e210b85850463ee326890ce74f297282ff1f74abeb35a0254fcdd9
21. https://www.reverse.it/sample/5fa71c4a86e210b85850463ee326890ce74f297282ff1f74abeb35a0254fcdd9?environmentId=100
22.  
23. does not contain strings with "NanoCore" in it
24. Uses unusual port ( 185.162.124.221 on port 4110 )
25. process hierarchy
26. (exe ->
27. --> cmd.exe -> reg.exe
28. --> tmp.exe -> cmd.exe -> reg.exe, tmp.exe
29. --> svhost.exe -> schtasks.exe
30. --> svhost.exe -> cmd.exe -> reg.exe, tmp.exe
31. --> cmd.exe -> timeout.exe, tasklist.exe, find.exe, winlogon.exe
32. )
33. same metadata
34. CompanyName : www.SamLab.ws
35. ProductName : SAM DeCoDeR Pack 2015 Best
36. 12/4/2017
37. sha256 73a84b11c0e7140c846bb5316974037d1f6cb9574ca0d48c8919bd1e024c0073
38. https://www.reverse.it/sample/73a84b11c0e7140c846bb5316974037d1f6cb9574ca0d48c8919bd1e024c0073?environmentId=100
39.  
40. contains strings with "NanoCore" in it
41. Uses unusual port ( 5.34.183.64 on port 1921 )
42. process hierarchy
43. (exe ->
44. --> cmd.exe -> reg.exe
45. --> tmp.exe
46. --> svhost.exe -> schtasks.exe
47. --> cmd.exe -> timeout.exe, tasklist.exe, find.exe, winlogon.exe
48. )
49. same metadata
50. CompanyName : www.SamLab.ws
51. ProductName : SAM DeCoDeR Pack 2015 Best