Analysis Report BFSV-1F(N)_1B-8B_ANSI.exe

Overview

General Information

Sample Name: BFSV-1F(N)_1B-8B_ANSI.exe
Analysis ID: 336687
MD5: 157d3320cafb9799ed5d996692e8bea7
SHA1: b8dc9d3720b84695bc18a4310a5f34e2603fc829
SHA256: 5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
Tags: exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nanocore RAT
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: BFSV-1F(N)_1B-8B_ANSI.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: BFSV-1F(N)_1B-8B_ANSI.exe ReversingLabs: Detection: 43%
Yara detected Nanocore RAT
Source: Yara match File source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY
Source: Yara match File source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: BFSV-1F(N)_1B-8B_ANSI.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.c90000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 7.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 2.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 10.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 16.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 17.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.2910000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 8.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.14c0000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 13.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.d60000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.d60000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.2c40000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 16.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 9.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 12.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 9.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 7.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 17.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 3.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: BFSV-1F(N)_1B-8B_ANSI.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: BFSV-1F(N)_1B-8B_ANSI.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000002.658811495.0000000000E0A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY
Source: Yara match File source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Detected potential crypto function
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 0_2_003ED580 0_2_003ED580
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 1_2_003ED580 1_2_003ED580
Sample file is different than original file name gathered from version info
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656792236.0000000002C2F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.662135152.0000000002F7F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667765526.0000000002FEF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673368529.000000000337F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678962378.00000000029D6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.688343785.000000000280F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695713586.0000000002796000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
Uses 32bit PE files
Source: BFSV-1F(N)_1B-8B_ANSI.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: classification engine Classification label: mal84.troj.winEXE@29/0@0/0
Source: BFSV-1F(N)_1B-8B_ANSI.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BFSV-1F(N)_1B-8B_ANSI.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe File read: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: unknown Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: BFSV-1F(N)_1B-8B_ANSI.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 0_2_00405EC0 push eax; ret 0_2_00405EEE
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 1_2_00405EC0 push eax; ret 1_2_00405EEE

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 0_2_00405CA0 mov eax, dword ptr fs:[00000030h] 0_2_00405CA0
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 0_2_00B8ECBE mov eax, dword ptr fs:[00000030h] 0_2_00B8ECBE
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 0_2_00B8F5D4 mov eax, dword ptr fs:[00000030h] 0_2_00B8F5D4
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 0_2_00B8F534 mov eax, dword ptr fs:[00000030h] 0_2_00B8F534
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 0_2_00B8F715 mov eax, dword ptr fs:[00000030h] 0_2_00B8F715
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 0_2_00B8F571 mov eax, dword ptr fs:[00000030h] 0_2_00B8F571
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 1_2_00405CA0 mov eax, dword ptr fs:[00000030h] 1_2_00405CA0
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 2_2_00F5F87D mov eax, dword ptr fs:[00000030h] 2_2_00F5F87D
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 2_2_00F5F8E0 mov eax, dword ptr fs:[00000030h] 2_2_00F5F8E0
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 2_2_00F5F840 mov eax, dword ptr fs:[00000030h] 2_2_00F5F840
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 2_2_00F5EFCA mov eax, dword ptr fs:[00000030h] 2_2_00F5EFCA
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 2_2_00F5FA21 mov eax, dword ptr fs:[00000030h] 2_2_00F5FA21
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 4_2_00DDF9C1 mov eax, dword ptr fs:[00000030h] 4_2_00DDF9C1
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 4_2_00DDEF6A mov eax, dword ptr fs:[00000030h] 4_2_00DDEF6A
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 4_2_00DDF7E0 mov eax, dword ptr fs:[00000030h] 4_2_00DDF7E0
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 4_2_00DDF81D mov eax, dword ptr fs:[00000030h] 4_2_00DDF81D
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 4_2_00DDF880 mov eax, dword ptr fs:[00000030h] 4_2_00DDF880
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 6_2_012FF980 mov eax, dword ptr fs:[00000030h] 6_2_012FF980
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 6_2_012FF91D mov eax, dword ptr fs:[00000030h] 6_2_012FF91D
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 6_2_012FF06A mov eax, dword ptr fs:[00000030h] 6_2_012FF06A
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 6_2_012FF8E0 mov eax, dword ptr fs:[00000030h] 6_2_012FF8E0
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 6_2_012FFAC1 mov eax, dword ptr fs:[00000030h] 6_2_012FFAC1
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 8_2_00B3F529 mov eax, dword ptr fs:[00000030h] 8_2_00B3F529
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 8_2_00B3F58C mov eax, dword ptr fs:[00000030h] 8_2_00B3F58C
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 8_2_00B3EC76 mov eax, dword ptr fs:[00000030h] 8_2_00B3EC76
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 8_2_00B3F4EC mov eax, dword ptr fs:[00000030h] 8_2_00B3F4EC
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 8_2_00B3F6CD mov eax, dword ptr fs:[00000030h] 8_2_00B3F6CD
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 10_2_0054FB54 mov eax, dword ptr fs:[00000030h] 10_2_0054FB54
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 10_2_0054F2DE mov eax, dword ptr fs:[00000030h] 10_2_0054F2DE
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 10_2_0054FBF4 mov eax, dword ptr fs:[00000030h] 10_2_0054FBF4
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 10_2_0054FB91 mov eax, dword ptr fs:[00000030h] 10_2_0054FB91
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 10_2_0054FD35 mov eax, dword ptr fs:[00000030h] 10_2_0054FD35
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 13_2_005DFAD4 mov eax, dword ptr fs:[00000030h] 13_2_005DFAD4
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 13_2_005DFA71 mov eax, dword ptr fs:[00000030h] 13_2_005DFA71
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 13_2_005DFC15 mov eax, dword ptr fs:[00000030h] 13_2_005DFC15
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 13_2_005DF1BE mov eax, dword ptr fs:[00000030h] 13_2_005DF1BE
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Code function: 13_2_005DFA34 mov eax, dword ptr fs:[00000030h] 13_2_005DFA34
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe Jump to behavior
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmp Binary or memory string: Progman
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY
Source: Yara match File source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY
Source: Yara match File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY
Source: Yara match File source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336687 Sample: BFSV-1F(N)_1B-8B_ANSI.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 84 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 12 BFSV-1F(N)_1B-8B_ANSI.exe 2->12         started        process3 process4 14 BFSV-1F(N)_1B-8B_ANSI.exe 12->14         started        16 BFSV-1F(N)_1B-8B_ANSI.exe 12->16         started        process5 18 BFSV-1F(N)_1B-8B_ANSI.exe 14->18         started        20 BFSV-1F(N)_1B-8B_ANSI.exe 14->20         started        process6 22 BFSV-1F(N)_1B-8B_ANSI.exe 18->22         started        24 BFSV-1F(N)_1B-8B_ANSI.exe 18->24         started        process7 26 BFSV-1F(N)_1B-8B_ANSI.exe 22->26         started        28 BFSV-1F(N)_1B-8B_ANSI.exe 22->28         started        process8 30 BFSV-1F(N)_1B-8B_ANSI.exe 26->30         started        32 BFSV-1F(N)_1B-8B_ANSI.exe 26->32         started        process9 34 BFSV-1F(N)_1B-8B_ANSI.exe 30->34         started        36 BFSV-1F(N)_1B-8B_ANSI.exe 30->36         started        process10 38 BFSV-1F(N)_1B-8B_ANSI.exe 34->38         started        40 BFSV-1F(N)_1B-8B_ANSI.exe 34->40         started       
No contacted IP infos