Analysis Report OFFER.exe

Overview

General Information

Sample Name:	OFFER.exe
Analysis ID:	322137
MD5:	f0a3b70a92ece3204289b3e1e25c9942
SHA1:	5af0534294c9f5fd1ada722919ec8583f88f2ac9
SHA256:	0a09ec08c850081ffb281f5716859d62093a5f772266503cb67d5e49a4ecd4f4
Tags:	NanoCore
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: OFFER.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe

Avira: detection malicious, Label: TR/AD.Nanocore.gzsda

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	Metadefender: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: OFFER.exe	Virustotal: Detection: 57%	Perma Link
Source: OFFER.exe	Metadefender: Detection: 37%	Perma Link
Source: OFFER.exe	ReversingLabs: Detection: 68%

Yara detected Nanocore RAT

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\OFFER.exe

Code function: 4x nop then jmp 055428F7h

0_2_055427EA

Networking:

Uses dynamic DNS services

Source: unknown

DNS query: name: udochukwu.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 37.18.96.19:2323

Source: unknown

DNS traffic detected: queries for: udochukwu.ddns.net

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Contains functionality to call native functions

Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05531016 NtQuerySystemInformation,		0_2_05531016
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05530FE5 NtQuerySystemInformation,		0_2_05530FE5

Detected potential crypto function

Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_00723AED	0_2_00723AED
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A209C8	0_2_02A209C8
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A21D2E	0_2_02A21D2E
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A209CD	0_2_02A209CD
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A231D8	0_2_02A231D8
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A28EA8	0_2_02A28EA8
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A28FB2	0_2_02A28FB2
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A22F88	0_2_02A22F88
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A22F77	0_2_02A22F77
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A23C32	0_2_02A23C32
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A2E598	0_2_02A2E598
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_00722050	0_2_00722050

PE file contains strange resources

Source: OFFER.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RplepwTnfZYE.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: OFFER.exe, 00000000.00000000.202703558.00000000007B4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.212114802.0000000004FF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.213553763.0000000005BC0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.212759761.0000000005460000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKedermister.dllT vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.214012672.0000000005CC0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.214012672.0000000005CC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.212203919.0000000005050000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameexag vs OFFER.exe
Source: OFFER.exe, 00000003.00000000.208615410.0000000001024000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe
Source: OFFER.exe	Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe

Yara signature match

Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: OFFER.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: RplepwTnfZYE.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: OFFER.exe, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: RplepwTnfZYE.exe.0.dr, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.OFFER.exe.720000.0.unpack, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.OFFER.exe.720000.0.unpack, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.OFFER.exe.f90000.0.unpack, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/5@9/2

Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05530E9A AdjustTokenPrivileges,		0_2_05530E9A
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05530E63 AdjustTokenPrivileges,		0_2_05530E63

Source: C:\Users\user\Desktop\OFFER.exe

File created: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_01
Source: C:\Users\user\Desktop\OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{e9662336-59a2-4ebb-989e-7c602bdb23a8}
Source: C:\Users\user\Desktop\OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\qkUPEOxutgScEw

Source: C:\Users\user\Desktop\OFFER.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp

Jump to behavior

Source: OFFER.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OFFER.exe	Virustotal: Detection: 57%
Source: OFFER.exe	Metadefender: Detection: 37%
Source: OFFER.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\OFFER.exe

File read: C:\Users\user\Desktop\OFFER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OFFER.exe 'C:\Users\user\Desktop\OFFER.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe
Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe	Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: OFFER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\OFFER.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: OFFER.exe, 00000000.00000002.212114802.0000000004FF0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: OFFER.exe, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: RplepwTnfZYE.exe.0.dr, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.OFFER.exe.720000.0.unpack, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.OFFER.exe.720000.0.unpack, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.OFFER.exe.f90000.0.unpack, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OFFER.exe

Code function: 0_2_00EA2010 push eax; retf

0_2_00EA2011

Source: initial sample	Static PE information: section name: .text entropy: 7.70065403732
Source: initial sample	Static PE information: section name: .text entropy: 7.70065403732

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\OFFER.exe

File created: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\OFFER.exe

File opened: C:\Users\user\Desktop\OFFER.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210800137.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OFFER.exe PID: 6088, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\OFFER.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\OFFER.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\OFFER.exe	Window / User API: threadDelayed 647	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Window / User API: threadDelayed 852	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Window / User API: foregroundWindowGot 988	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\OFFER.exe TID: 6064	Thread sleep time: -49583s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe TID: 2796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe TID: 5076	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe TID: 5072	Thread sleep time: -40000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II\|update users set password = @password where user_id = @user_id
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\OFFER.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\OFFER.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\OFFER.exe

Memory written: C:\Users\user\Desktop\OFFER.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe			Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Code function: 0_2_00E9AEFE GetUserNameW,

0_2_00E9AEFE

Source: C:\Users\user\Desktop\OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Nanocore RAT

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.18.96.19	unknown	Netherlands		201411	GOKNETTR	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
udochukwu.ddns.net	37.18.96.19	true

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: OFFER.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe

Avira: detection malicious, Label: TR/AD.Nanocore.gzsda

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	Metadefender: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: OFFER.exe	Virustotal: Detection: 57%	Perma Link
Source: OFFER.exe	Metadefender: Detection: 37%	Perma Link
Source: OFFER.exe	ReversingLabs: Detection: 68%

Yara detected Nanocore RAT

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\OFFER.exe

Code function: 4x nop then jmp 055428F7h

0_2_055427EA

Networking:

Uses dynamic DNS services

Source: unknown

DNS query: name: udochukwu.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 37.18.96.19:2323

Source: unknown

DNS traffic detected: queries for: udochukwu.ddns.net

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Contains functionality to call native functions

Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05531016 NtQuerySystemInformation,		0_2_05531016
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05530FE5 NtQuerySystemInformation,		0_2_05530FE5

Detected potential crypto function

Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_00723AED	0_2_00723AED
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A209C8	0_2_02A209C8
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A21D2E	0_2_02A21D2E
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A209CD	0_2_02A209CD
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A231D8	0_2_02A231D8
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A28EA8	0_2_02A28EA8
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A28FB2	0_2_02A28FB2
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A22F88	0_2_02A22F88
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A22F77	0_2_02A22F77
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A23C32	0_2_02A23C32
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A2E598	0_2_02A2E598
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_00722050	0_2_00722050

PE file contains strange resources

Source: OFFER.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RplepwTnfZYE.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: OFFER.exe, 00000000.00000000.202703558.00000000007B4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.212114802.0000000004FF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.213553763.0000000005BC0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.212759761.0000000005460000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKedermister.dllT vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.214012672.0000000005CC0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.214012672.0000000005CC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.212203919.0000000005050000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameexag vs OFFER.exe
Source: OFFER.exe, 00000003.00000000.208615410.0000000001024000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe
Source: OFFER.exe	Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe

Yara signature match

Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: OFFER.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: RplepwTnfZYE.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: OFFER.exe, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: RplepwTnfZYE.exe.0.dr, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.OFFER.exe.720000.0.unpack, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.OFFER.exe.720000.0.unpack, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.OFFER.exe.f90000.0.unpack, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/5@9/2

Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05530E9A AdjustTokenPrivileges,		0_2_05530E9A
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05530E63 AdjustTokenPrivileges,		0_2_05530E63

Source: C:\Users\user\Desktop\OFFER.exe

File created: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_01
Source: C:\Users\user\Desktop\OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{e9662336-59a2-4ebb-989e-7c602bdb23a8}
Source: C:\Users\user\Desktop\OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\qkUPEOxutgScEw

Source: C:\Users\user\Desktop\OFFER.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp

Jump to behavior

Source: OFFER.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OFFER.exe	Virustotal: Detection: 57%
Source: OFFER.exe	Metadefender: Detection: 37%
Source: OFFER.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\OFFER.exe

File read: C:\Users\user\Desktop\OFFER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OFFER.exe 'C:\Users\user\Desktop\OFFER.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe
Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe	Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: OFFER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\OFFER.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: OFFER.exe, 00000000.00000002.212114802.0000000004FF0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: OFFER.exe, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: RplepwTnfZYE.exe.0.dr, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.OFFER.exe.720000.0.unpack, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.OFFER.exe.720000.0.unpack, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.OFFER.exe.f90000.0.unpack, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OFFER.exe

Code function: 0_2_00EA2010 push eax; retf

0_2_00EA2011

Source: initial sample	Static PE information: section name: .text entropy: 7.70065403732
Source: initial sample	Static PE information: section name: .text entropy: 7.70065403732

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\OFFER.exe

File created: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\OFFER.exe

File opened: C:\Users\user\Desktop\OFFER.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210800137.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OFFER.exe PID: 6088, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\OFFER.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\OFFER.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\OFFER.exe	Window / User API: threadDelayed 647	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Window / User API: threadDelayed 852	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Window / User API: foregroundWindowGot 988	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\OFFER.exe TID: 6064	Thread sleep time: -49583s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe TID: 2796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe TID: 5076	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe TID: 5072	Thread sleep time: -40000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II\|update users set password = @password where user_id = @user_id
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\OFFER.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\OFFER.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\OFFER.exe

Memory written: C:\Users\user\Desktop\OFFER.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe			Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Code function: 0_2_00E9AEFE GetUserNameW,

0_2_00E9AEFE

Source: C:\Users\user\Desktop\OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Nanocore RAT

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

ID:	322137
Product:	CloudBasic
Start time:	15:27:11
Start date:	24.11.2020
Sample:	OFFER.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f0a3b70a92ece3204289b3e1e25c9942
SHA1:	5af0534294c9f5fd1ada722919ec8583f88f2ac9
SHA256:	0a09ec08c850081ffb281f5716859d62093a5f772266503cb67d5e49a4ecd4f4
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\OFFER.exe.log	ASCII text, with CRLF line terminators	61CCF53571C9ABA6511D696CB0D32E45	A13A42A20EC14942F52DB20FB16A0A520F8183CE	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	AB592D06D98D97E7246ACDE4BC6F877E	6F407D15DCD33272C9F36A3B60CE18EA287D943D	5F401C9D62E49D3C79957EE747E11E54B09AE2577B37BF3FD8E0F59779E17764
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	Non-ISO extended-ASCII text, with no line terminators	94BA71EFD891C3DCB84D299A3569E0DA	D1377C913F96023629C1A07DB3BF23E0BB5F9005	30F19B17612845ECB696342C4C9306B80FFCEC7BDC5ABA5DC83A9DA346270990
C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F0A3B70A92ECE3204289B3E1E25C9942	5AF0534294C9F5FD1ADA722919EC8583F88F2AC9	0A09EC08C850081FFB281F5716859D62093A5F772266503CB67D5E49A4ECD4F4
C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Analysis Report OFFER.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains