Analysis Report BFSV-1F(N)_1B-8B_ANSI.exe

ID:	337281
Product:	CloudBasic
Start time:	09:23:02
Start date:	08.01.2021
Sample:	BFSV-1F(N)_1B-8B_ANSI.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	36f13aad903e851544fe137feca3435b
SHA1:	776d3d7e39a8b3e72e2e9b5c36a615e3157d05ad
SHA256:	41617ac4431c229ba27bf94617b465309e7f502ae5088cd12ee571a0428ea120
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	E78C6686C5A1A9CB0724F84DEA9A75F0	80E61D5BDC7AF293362024781DA66BEA9D370FF9	FBE0B513511C00AC3B7169E1BCFB675CFD708B249365D724269C23FAC1184967
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	ISO-8859 text, with no line terminators	3F3CD5C288B64A7072F09AC01296FBC4	E46242146BEBEFF9D2FF11B8C187518025E4E182	35943387C3ACAE14B8EE9FA76521D176C82DEB8F1BA2EDDB1F3BDCFF2863236B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin	data	4E5E92E2369688041CC82EF9650EDED2	15E44F2F3194EE232B44E9684163B6F66472C862	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	7E8F4A764B981D5B82D1CC49D341E9C6	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: BFSV-1F(N)_1B-8B_ANSI.exe

Avira: detected

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
Source: Yara match	File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: BFSV-1F(N)_1B-8B_ANSI.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: BFSV-1F(N)_1B-8B_ANSI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: BFSV-1F(N)_1B-8B_ANSI.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.410135152.0000000006773000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49716 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49721 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49760 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49764 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49767 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49768 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49769 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49770 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49771 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49772 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49773 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49774 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49775 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49776 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49777 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49778 -> 45.138.49.96:9999
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49779 -> 45.138.49.96:9999

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49716 -> 45.138.49.96:9999

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.49.96

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000002.242332679.00000000008AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
Source: Yara match	File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Detected potential crypto function

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_00D2B650		0_2_00D2B650
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_00D2A879		0_2_00D2A879
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_00D24610		0_2_00D24610
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_00D29700		0_2_00D29700
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_00D2CC36		0_2_00D2CC36

Sample file is different than original file name gathered from version info

Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.239929756.000000001A496000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.248234831.000000000674B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs BFSV-1F(N)_1B-8B_ANSI.exe

Uses 32bit PE files

Source: BFSV-1F(N)_1B-8B_ANSI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/4@0/1

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Code function: 0_2_00D30000 EntryPoint,FindResourceW,LoadResource,VirtualProtect,EnumLanguageGroupLocalesW,

0_2_00D30000

Creates files inside the user directory

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Creates mutexes

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{c9506c35-7fc9-4302-a06c-3e362d7043e7}

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample reads its own file content

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

File read: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
Source: unknown	Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: BFSV-1F(N)_1B-8B_ANSI.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: BFSV-1F(N)_1B-8B_ANSI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.410135152.0000000006773000.00000004.00000001.sdmp

Data Obfuscation:

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .stub

PE file contains sections with non-standard names

Source: BFSV-1F(N)_1B-8B_ANSI.exe	Static PE information: section name: .code
Source: BFSV-1F(N)_1B-8B_ANSI.exe	Static PE information: section name: .stub

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Code function: 0_2_00D21000 push eax; ret

0_2_00D2102E

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

File opened: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Window / User API: threadDelayed 5591			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Window / User API: threadDelayed 2861			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Window / User API: foregroundWindowGot 626			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Window / User API: foregroundWindowGot 790			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe TID: 6232

Thread sleep time: -7378697629483816s >= -30000s

Jump to behavior

Queries a list of all running processes

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_00D2F270 mov eax, dword ptr fs:[00000030h]		0_2_00D2F270
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_006FF669 mov eax, dword ptr fs:[00000030h]		0_2_006FF669
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_006FF6CC mov eax, dword ptr fs:[00000030h]		0_2_006FF6CC
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_006FF62C mov eax, dword ptr fs:[00000030h]		0_2_006FF62C
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_006FEDB6 mov eax, dword ptr fs:[00000030h]		0_2_006FEDB6
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Code function: 0_2_006FF80D mov eax, dword ptr fs:[00000030h]		0_2_006FF80D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Code function: 0_2_00D2F3F0 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,

0_2_00D2F3F0

Enables debug privileges

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Section loaded: unknown target: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe protection: execute and read and write

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Process created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
Source: Yara match	File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.248234831.000000000674B000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
Source: Yara match	File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE