Loading ...

Play interactive tourEdit tour

Analysis Report DES_ Holdings Ltd - products listing.exe

Overview

General Information

Sample Name:DES_ Holdings Ltd - products listing.exe
Analysis ID:336710
MD5:f88e81d7f208b4ebca34ae5f1f032d0f
SHA1:4da7041d786ebc59dfb33eec1196c1ae2cc94f89
SHA256:9fd3eec622da8536e22c164bbd05d80dada1003fadd07fd4800ced6c0579812c
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • DES_ Holdings Ltd - products listing.exe (PID: 6520 cmdline: 'C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe' MD5: F88E81D7F208B4EBCA34AE5F1F032D0F)
    • schtasks.exe (PID: 976 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["212.83.46.26"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000B.00000002.610010923.0000000006340000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.DES_ Holdings Ltd - products listing.exe.6340000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      11.2.DES_ Holdings Ltd - products listing.exe.6340000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe, ProcessId: 4812, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe' , ParentImage: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe, ParentProcessId: 6520, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp', ProcessId: 976

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: DES_ Holdings Ltd - products listing.exe.4812.11.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["212.83.46.26"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exeReversingLabs: Detection: 13%
        Multi AV Scanner detection for submitted fileShow sources
        Source: DES_ Holdings Ltd - products listing.exeVirustotal: Detection: 30%Perma Link
        Source: DES_ Holdings Ltd - products listing.exeReversingLabs: Detection: 13%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORY
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: DES_ Holdings Ltd - products listing.exeJoe Sandbox ML: detected
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpackAvira: Label: TR/NanoCore.fadte
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 212.83.46.26
        Source: global trafficTCP traffic: 192.168.2.7:49708 -> 212.83.46.26:4021
        Source: Joe Sandbox ViewASN Name: TTMDE TTMDE
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORY
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.610010923.0000000006340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.6340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeCode function: 11_2_017EE47111_2_017EE471
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeCode function: 11_2_017EE48011_2_017EE480
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeCode function: 11_2_017EBBD411_2_017EBBD4
        Source: DES_ Holdings Ltd - products listing.exe, 00000000.00000000.227595219.000000000096E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientChannelSink.exe4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.609929125.00000000062D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610212602.0000000006C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000000.288113052.0000000000D3E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientChannelSink.exe4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exeBinary or memory string: OriginalFilenameIClientChannelSink.exe4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.610010923.0000000006340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.610010923.0000000006340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.6340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.6340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@0/2
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile created: C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exeJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeMutant created: \Sessions\1\BaseNamedObjects\hEBKLHOBXbQI
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4472:120:WilError_01
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3b0a05ab-e8be-49ea-960f-63681280e339}
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile created: C:\Users\user\AppData\Local\Temp\tmp933B.tmpJump to behavior
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: DES_ Holdings Ltd - products listing.exeVirustotal: Detection: 30%
        Source: DES_ Holdings Ltd - products listing.exeReversingLabs: Detection: 13%
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile read: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe 'C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess created: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: initial sampleStatic PE information: section name: .text entropy: 7.45520893226
        Source: initial sampleStatic PE information: section name: .text entropy: 7.45520893226
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile created: \des_ holdings ltd - products listing.exeJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile created: \des_ holdings ltd - products listing.exeJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile created: C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile opened: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeWindow / User API: threadDelayed 4518Jump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeWindow / User API: threadDelayed 4984Jump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeWindow / User API: foregroundWindowGot 1253Jump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeWindow / User API: foregroundWindowGot 416Jump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe TID: 6524Thread sleep time: -52026s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe TID: 6540Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe TID: 6604Thread sleep time: -18446744073709540s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610212602.0000000006C70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610212602.0000000006C70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610212602.0000000006C70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000003.375375617.0000000001478000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610212602.0000000006C70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeMemory written: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess created: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeJump to behavior
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605168447.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.608493846.00000000036BA000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605168447.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605168447.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.606374110.000000000331C000.00000004.00000001.sdmpBinary or memory string: Program Manager|$
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605168447.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORY
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORY
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading1Input Capture11Security Software Discovery111Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112