Loading ...

Play interactive tourEdit tour

Analysis Report September Payment -Bank Details.exe

Overview

General Information

Sample Name:September Payment -Bank Details.exe
Analysis ID:286149
MD5:d778f2988ce3884b9847f6b121cc8e77
SHA1:6f27cc4a3d49f7c829a844c115fcb4bb36310ccd
SHA256:6b4ef66dfdfbefea692e27ae45951bfb8b89064167e13ca47278d1259ae81811

Most interesting Screenshot:

Detection

Nanocore Quasar
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Yara detected Nanocore RAT
Yara detected Quasar RAT
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Startup

  • System is w10x64
  • September Payment -Bank Details.exe (PID: 6668 cmdline: 'C:\Users\user\Desktop\September Payment -Bank Details.exe' MD5: D778F2988CE3884B9847F6B121CC8E77)
    • cmd.exe (PID: 3928 cmdline: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Window Desktop Manager /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Music\Window Desktop Manager' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 4996 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Window Desktop Manager /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Music\Window Desktop Manager' MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • OpenWith.exe (PID: 1036 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.496541428.0000000007356000.00000004.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000000.00000003.496635838.0000000007377000.00000004.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000000.00000003.490662643.0000000007437000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000003.490662643.0000000007437000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x1b978:$a: NanoCore
        • 0x1b98c:$a: NanoCore
        • 0x1d170:$a: NanoCore
        • 0x1d180:$a: NanoCore
        • 0x1b995:$b: ClientPlugin
        • 0x1d1cf:$b: ClientPlugin
        • 0x1df41:$b: ClientPlugin
        • 0x1b8ba:$c: ProjectData
        • 0x1dd35:$d: DESCrypto
        • 0x26355:$e: KeepAlive
        • 0x27b43:$g: LogClientMessage
        • 0x2535a:$i: get_Connected
        • 0x1f4ac:$j: #=q
        • 0x1f4f0:$j: #=q
        • 0x1f534:$j: #=q
        • 0x1f578:$j: #=q
        • 0x1f5bc:$j: #=q
        • 0x1f600:$j: #=q
        • 0x1f61c:$j: #=q
        • 0x1f638:$j: #=q
        • 0x1f654:$j: #=q
        00000000.00000003.481370405.0000000006A69000.00000004.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000003.490662643.0000000007437000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.478796095.0000000006A99000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.481480156.0000000006ABC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.473524978.0000000006A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.487248273.0000000006B37000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.566984785.0000000002F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.491540707.000000000743E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORY
          Yara detected Quasar RATShow sources
          Source: Yara matchFile source: 00000000.00000003.496541428.0000000007356000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.496635838.0000000007377000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.481370405.0000000006A69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.473524978.0000000006A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORY
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\Music\Window Desktop ManagerJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: September Payment -Bank Details.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_73533670 CryptQueryObject,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,0_2_73533670
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_73533470 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,LocalAlloc,CertFreeCertificateContext,CryptDecodeObject,CertFreeCertificateContext,CertFreeCertificateContext,0_2_73533470
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_73533499 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,0_2_73533499
          Source: September Payment -Bank Details.exe, 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: September Payment -Bank Details.exe, 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, September Payment -Bank Details.exe, 00000000.00000003.478796095.0000000006A99000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.net/xml/
          Source: September Payment -Bank Details.exe, 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://ocsp.thawte.com0
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://s2.symcb.com0
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://sv.symcd.com0&
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://www.symauth.com/cps0(
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: http://www.symauth.com/rpa00
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: https://d.symcb.com/cps0%
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.drString found in binary or memory: https://d.symcb.com/rpa0
          Source: September Payment -Bank Details.exe, 00000000.00000002.566008261.00000000010BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000003.490662643.0000000007437000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.478796095.0000000006A99000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.481480156.0000000006ABC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.473524978.0000000006A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.487248273.0000000006B37000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.566984785.0000000002F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.491540707.000000000743E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORY
          Yara detected Quasar RATShow sources
          Source: Yara matchFile source: 00000000.00000003.496541428.0000000007356000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.496635838.0000000007377000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.481370405.0000000006A69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.473524978.0000000006A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000003.490662643.0000000007437000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
          Source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000003.478796095.0000000006A99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000003.481480156.0000000006ABC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000003.474552041.0000000006754000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
          Source: 00000000.00000003.473524978.0000000006A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000003.487248273.0000000006B37000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.566984785.0000000002F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000003.491540707.000000000743E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
          Source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          .NET source code contains very large array initializationsShow sources
          Source: September Payment -Bank Details.exe, ?u002a1?8??u005e?u00266?5??u0029?u007e0?/??9u003f4?u005d??7?u007d0?u0026??6?u002b3?u003b.csLarge array initialization: ?&8?0??_??]1?|6???+4@?9??7%?{??5: array initializer size 123904
          Source: Window Desktop Manager.0.dr, ?u002a1?8??u005e?u00266?5??u0029?u007e0?/??9u003f4?u005d??7?u007d0?u0026??6?u002b3?u003b.csLarge array initialization: ?&8?0??_??]1?|6???+4@?9??7%?{??5: array initializer size 123904
          Source: 0.2.September Payment -Bank Details.exe.880000.0.unpack, ?u002a1?8??u005e?u00266?5??u0029?u007e0?/??9u003f4?u005d??7?u007d0?u0026??6?u002b3?u003b.csLarge array initialization: ?&8?0??_??]1?|6???+4@?9??7%?{??5: array initializer size 123904
          Source: 0.0.September Payment -Bank Details.exe.880000.0.unpack, ?u002a1?8??u005e?u00266?5??u0029?u007e0?/??9u003f4?u005d??7?u007d0?u0026??6?u002b3?u003b.csLarge array initialization: ?&8?0??_??]1?|6???+4@?9??7%?{??5: array initializer size 123904
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: September Payment -Bank Details.exe
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_02B473390_2_02B47339
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_02B473480_2_02B47348
          Source: September Payment -Bank Details.exeBinary or memory string: OriginalFilename vs September Payment -Bank Details.exe
          Source: September Payment -Bank Details.exe, 00000000.00000000.407996609.0000000000882000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindow Desktop Manager.exeP vs September Payment -Bank Details.exe
          Source: September Payment -Bank Details.exe, 00000000.00000003.490698186.0000000006ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs September Payment -Bank Details.exe
          Source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs September Payment -Bank Details.exe
          Source: September Payment -Bank Details.exe, 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLLB.exeD vs September Payment -Bank Details.exe
          Source: September Payment -Bank Details.exe, 00000000.00000002.566008261.00000000010BA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs September Payment -Bank Details.exe
          Source: September Payment -Bank Details.exe, 00000000.00000002.565645318.0000000000F60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs September Payment -Bank Details.exe
          Source: September Payment -Bank Details.exe, 00000000.00000002.573038931.0000000005BE0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs September Payment -Bank Details.exe
          Source: September Payment -Bank Details.exeBinary or memory string: OriginalFilenameWindow Desktop Manager.exeP vs September Payment -Bank Details.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Window Desktop Manager /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Music\Window Desktop Manager'
          Source: 00000000.00000003.490662643.0000000007437000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000003.478796095.0000000006A99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000003.481480156.0000000006ABC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000003.474552041.0000000006754000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000003.473524978.0000000006A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000003.487248273.0000000006B37000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.566984785.0000000002F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000003.491540707.000000000743E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: classification engineClassification label: mal92.troj.evad.winEXE@7/4@0/0
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeFile created: C:\Users\user\Music\Window Desktop ManagerJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeFile created: C:\Users\user\AppData\Local\Temp\b438b2b2-a27d-417f-8ec9-625540b311a1Jump to behavior
          Source: September Payment -Bank Details.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeFile read: C:\Users\user\Desktop\September Payment -Bank Details.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\September Payment -Bank Details.exe 'C:\Users\user\Desktop\September Payment -Bank Details.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Window Desktop Manager /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Music\Window Desktop Manager'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Window Desktop Manager /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Music\Window Desktop Manager'
          Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Window Desktop Manager /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Music\Window Desktop Manager'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Window Desktop Manager /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Music\Window Desktop Manager'Jump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: September Payment -Bank Details.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: September Payment -Bank Details.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: September Payment -Bank Details.exeStatic file information: File size 1320960 > 1048576
          Source: September Payment -Bank Details.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x141c00
          Source: September Payment -Bank Details.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: C:\Users\Zach\Desktop\LimitlessBind\WindowsApplication1\WindowsApplication1\obj\x86\Debug\LLB.pdb source: September Payment -Bank Details.exe, 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp
          Source: Binary string: clrjit.pdb source: September Payment -Bank Details.exe, 00000000.00000002.572713736.00000000055A0000.00000004.00000001.sdmp
          Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: September Payment -Bank Details.exe, 00000000.00000002.571138739.0000000003C81000.00000004.00000001.sdmp, g.dll.0.dr
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_7353A090 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,0_2_7353A090
          Source: g.dll.0.drStatic PE information: section name: .didat
          Source: g.dll.0.drStatic PE information: section name: .00cfg
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_00885680 push 00000061h; retf 0_2_0088568A
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_008826A4 push esp; rep ret 0_2_008826A5
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_00883E0D push cs; retf 0_2_00883E0F
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_00882223 push 68BB0E69h; iretd 0_2_00882309
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_00885435 push FFFFFFBEh; retf 0_2_00885442
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_00883D9C pushad ; retf 0_2_00883E03
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_008855C7 push edx; ret 0_2_008855D7
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_00885138 push ebp; retf 0_2_00885140
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_00882B5B push eax; ret 0_2_00882B5C
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_0088557B push 6F666E49h; iretd 0_2_00885580
          Source: initial sampleStatic PE information: section name: .text entropy: 7.32842473019
          Source: initial sampleStatic PE information: section name: .text entropy: 7.32842473019
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeFile created: C:\Users\user\AppData\Local\Temp\b438b2b2-a27d-417f-8ec9-625540b311a1\g.dllJump to dropped file
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeFile created: C:\Users\user\Music\Window Desktop ManagerJump to dropped file
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeFile created: C:\Users\user\Music\Window Desktop ManagerJump to dropped file
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeRDTSC instruction interceptor: First address: 0000000073531D36 second address: 0000000073532A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [735453C0h], eax 0x00000020 mov dword ptr [735453C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007F9BF4B8429Bh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007F9BF4B842D6h 0x00000037 rdtsc
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_73532A40 rdtsc 0_2_73532A40
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeWindow / User API: threadDelayed 957Jump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exe TID: 6176Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exe TID: 6176Thread sleep time: -39500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exe TID: 6176Thread sleep time: -37500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exe TID: 6176Thread sleep time: -34500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exe TID: 6176Thread sleep time: -34000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exe TID: 2332Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_73540CF3 VirtualQuery,GetSystemInfo,0_2_73540CF3
          Source: September Payment -Bank Details.exe, 00000000.00000002.565645318.0000000000F60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: September Payment -Bank Details.exe, 00000000.00000002.566084435.00000000010F0000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
          Source: September Payment -Bank Details.exe, 00000000.00000002.565645318.0000000000F60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: September Payment -Bank Details.exe, 00000000.00000002.566084435.00000000010F0000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\0
          Source: September Payment -Bank Details.exe, 00000000.00000002.565645318.0000000000F60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: September Payment -Bank Details.exe, 00000000.00000002.565645318.0000000000F60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_73532A40 rdtsc 0_2_73532A40
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_7353A090 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,0_2_7353A090
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_735323F0 K32EnumProcessModules,GetProcessHeap,HeapAlloc,K32EnumProcessModules,GetProcessHeap,HeapFree,K32GetModuleBaseNameA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_735323F0
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Window Desktop Manager /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Music\Window Desktop Manager'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Window Desktop Manager /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Music\Window Desktop Manager'Jump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeQueries volume information: C:\Users\user\Desktop\September Payment -Bank Details.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_7353B100 GetTempPathA,GetSystemTime,GetDateFormatA,GetTimeFormatA,CreateFileA,GetProcessHeap,HeapAlloc,InitializeCriticalSection,0_2_7353B100
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeCode function: 0_2_735325C0 GetVersionExW,0_2_735325C0
          Source: C:\Users\user\Desktop\September Payment -Bank Details.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000003.490662643.0000000007437000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.478796095.0000000006A99000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.481480156.0000000006ABC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.473524978.0000000006A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.487248273.0000000006B37000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.566984785.0000000002F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.491540707.000000000743E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORY
          Yara detected Quasar RATShow sources
          Source: Yara matchFile source: 00000000.00000003.496541428.0000000007356000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.496635838.0000000007377000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.481370405.0000000006A69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.473524978.0000000006A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORY

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: September Payment -Bank Details.exe, 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000003.490662643.0000000007437000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.478796095.0000000006A99000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.481480156.0000000006ABC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.473524978.0000000006A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.487248273.0000000006B37000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.566984785.0000000002F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.491540707.000000000743E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORY
          Yara detected Quasar RATShow sources
          Source: Yara matchFile source: 00000000.00000003.496541428.0000000007356000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.496635838.0000000007377000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.481370405.0000000006A69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571860567.0000000003EFC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.473524978.0000000006A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.571365591.0000000003D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: September Payment -Bank Details.exe PID: 6668, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection11Masquerading11Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsModify Registry1LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncSystem Information Discovery115Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 286149 Sample: September Payment -Bank Det... Startdate: 16/09/2020 Architecture: WINDOWS Score: 92 26 Malicious sample detected (through community Yara rule) 2->26 28 Detected Nanocore Rat 2->28 30 Yara detected Quasar RAT 2->30 32 6 other signatures 2->32 7 September Payment -Bank Details.exe 1 8 2->7         started        10 OpenWith.exe 2->10         started        process3 file4 18 C:\Users\user\Music\Window Desktop Manager, PE32 7->18 dropped 20 C:\...\Window Desktop Manager:Zone.Identifier, ASCII 7->20 dropped 22 September Payment -Bank Details.exe.log, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\Temp\...\g.dll, PE32 7->24 dropped 12 cmd.exe 1 7->12         started        process5 process6 14 conhost.exe 12->14         started        16 reg.exe 1 12->16         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.