Loading ...

Play interactive tourEdit tour

Analysis Report mQkSxltFLk.exe

Overview

General Information

Sample Name:mQkSxltFLk.exe
Analysis ID:255241
MD5:bb4eb0cc2f31f248a9c2f38c0abbb252
SHA1:562528a4a0ea3eefe8e5526ad68ffdf3df9b5e64
SHA256:5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • mQkSxltFLk.exe (PID: 7124 cmdline: 'C:\Users\user\Desktop\mQkSxltFLk.exe' MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
    • notepad.exe (PID: 7156 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • hfsjrifske.exe (PID: 3280 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
        • hfsjrifske.exe (PID: 1772 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
          • schtasks.exe (PID: 6420 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E16.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • hfsjrifske.exe (PID: 5544 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe' MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
                • hfsjrifske.exe (PID: 4208 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe' MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
                • hfsjrifske.exe (PID: 5592 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe' 2 4208 4385671 MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
          • schtasks.exe (PID: 6688 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp9105.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • hfsjrifske.exe (PID: 6324 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe' 2 1772 4360468 MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
  • hfsjrifske.exe (PID: 5668 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe 0 MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
    • hfsjrifske.exe (PID: 5516 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe 0 MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
    • hfsjrifske.exe (PID: 5760 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe' 2 5516 4364421 MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
      • hfsjrifske.exe (PID: 6596 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
        • hfsjrifske.exe (PID: 6956 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
        • hfsjrifske.exe (PID: 384 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe' 2 6956 4379171 MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
  • dhcpmon.exe (PID: 4896 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
    • notepad.exe (PID: 4824 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • hfsjrifske.exe (PID: 5904 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
        • hfsjrifske.exe (PID: 5792 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
        • hfsjrifske.exe (PID: 4836 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe' 2 5792 4368718 MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
          • hfsjrifske.exe (PID: 6660 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
            • hfsjrifske.exe (PID: 6204 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
            • hfsjrifske.exe (PID: 4824 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe' 2 6204 4382812 MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
  • dhcpmon.exe (PID: 6412 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
    • notepad.exe (PID: 6508 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • hfsjrifske.exe (PID: 6652 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
        • hfsjrifske.exe (PID: 6472 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
        • hfsjrifske.exe (PID: 6984 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe' 2 6472 4376781 MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
          • hfsjrifske.exe (PID: 6460 cmdline: C:\Users\user\AppData\Roaming\appdata\hfsjrifske.exe MD5: BB4EB0CC2F31F248A9C2F38C0ABBB252)
  • wscript.exe (PID: 856 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.165.153.30", "255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.255600932.0000000000652000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.255600932.0000000000652000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000010.00000002.255600932.0000000000652000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000027.00000002.296454364.0000000002AA7000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x101e5:$x1: NanoCore.ClientPluginHost
    • 0x10222:$x2: IClientNetworkHost
    • 0x13d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000027.00000002.296454364.0000000002AA7000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security