Loading ...

Play interactive tourEdit tour

Analysis Report 2KGU6Ue1fD.exe

Overview

General Information

Sample Name:2KGU6Ue1fD.exe
Analysis ID:255240
MD5:c85493fbd869baf0b92c89a09604562d
SHA1:c3412e74e5a797d3d087d05fcf7e03c03e960e1a
SHA256:3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Creates files in alternative data streams (ADS)
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • 2KGU6Ue1fD.exe (PID: 7048 cmdline: 'C:\Users\user\Desktop\2KGU6Ue1fD.exe' MD5: C85493FBD869BAF0B92C89A09604562D)
    • notepad.exe (PID: 7064 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • hdjfksfj.exe (PID: 7084 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
        • hdjfksfj.exe (PID: 7104 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
        • hdjfksfj.exe (PID: 7116 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe' 2 7104 4118968 MD5: C85493FBD869BAF0B92C89A09604562D)
  • wscript.exe (PID: 4484 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • hdjfksfj.exe (PID: 6104 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe' MD5: C85493FBD869BAF0B92C89A09604562D)
      • hdjfksfj.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe' MD5: C85493FBD869BAF0B92C89A09604562D)
      • hdjfksfj.exe (PID: 6444 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe' 2 6328 4136703 MD5: C85493FBD869BAF0B92C89A09604562D)
        • hdjfksfj.exe (PID: 5948 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
          • hdjfksfj.exe (PID: 4440 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
          • hdjfksfj.exe (PID: 7080 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe' 2 4440 4148328 MD5: C85493FBD869BAF0B92C89A09604562D)
            • hdjfksfj.exe (PID: 5972 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
              • hdjfksfj.exe (PID: 5980 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
              • hdjfksfj.exe (PID: 4700 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe' 2 5980 4160406 MD5: C85493FBD869BAF0B92C89A09604562D)
                • hdjfksfj.exe (PID: 500 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
                  • hdjfksfj.exe (PID: 4164 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
                  • hdjfksfj.exe (PID: 6908 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe' 2 4164 4174421 MD5: C85493FBD869BAF0B92C89A09604562D)
                    • hdjfksfj.exe (PID: 5736 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
                      • hdjfksfj.exe (PID: 3932 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
                      • hdjfksfj.exe (PID: 4816 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe' 2 3932 4186296 MD5: C85493FBD869BAF0B92C89A09604562D)
                        • hdjfksfj.exe (PID: 5416 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
                          • hdjfksfj.exe (PID: 5440 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
                          • hdjfksfj.exe (PID: 5444 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe' 2 5440 4200625 MD5: C85493FBD869BAF0B92C89A09604562D)
                            • hdjfksfj.exe (PID: 5048 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
                              • hdjfksfj.exe (PID: 6060 cmdline: C:\Users\user\AppData\Roaming\appdata\hdjfksfj.exe MD5: C85493FBD869BAF0B92C89A09604562D)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000027.00000002.494496986.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000027.00000002.494496986.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000027.00000002.494496986.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000003.00000002.539418354.0000000000447000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x101e5:$x1: NanoCore.ClientPluginHost
    • 0x10222:$x2: IClientNetworkHost
    • 0x13d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000003.00000002.539418354.0000000000447000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security