Loading ...

Play interactive tourEdit tour

Analysis Report BFSV-1F(N)_1B-8B_ANSI.exe

Overview

General Information

Sample Name:BFSV-1F(N)_1B-8B_ANSI.exe
Analysis ID:337281
MD5:36f13aad903e851544fe137feca3435b
SHA1:776d3d7e39a8b3e72e2e9b5c36a615e3157d05ad
SHA256:41617ac4431c229ba27bf94617b465309e7f502ae5088cd12ee571a0428ea120
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 5932 cmdline: 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' MD5: 36F13AAD903E851544FE137FECA3435B)
    • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 4420 cmdline: 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' MD5: 36F13AAD903E851544FE137FECA3435B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x215e5:$x1: NanoCore.ClientPluginHost
  • 0x21622:$x2: IClientNetworkHost
  • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x2135d:$x1: NanoCore Client.exe
  • 0x215e5:$x2: NanoCore.ClientPluginHost
  • 0x22c1e:$s1: PluginCommand
  • 0x22c12:$s2: FileCommand
  • 0x23ac3:$s3: PipeExists
  • 0x2987a:$s4: PipeCreated
  • 0x2160f:$s5: IClientLoggingHost
00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2134d:$a: NanoCore
    • 0x2135d:$a: NanoCore
    • 0x21591:$a: NanoCore
    • 0x215a5:$a: NanoCore
    • 0x215e5:$a: NanoCore
    • 0x213ac:$b: ClientPlugin
    • 0x215ae:$b: ClientPlugin
    • 0x215ee:$b: ClientPlugin
    • 0x214d3:$c: ProjectData
    • 0x21eda:$d: DESCrypto
    • 0x298a6:$e: KeepAlive
    • 0x27894:$g: LogClientMessage
    • 0x23a8f:$i: get_Connected
    • 0x22210:$j: #=q
    • 0x22240:$j: #=q
    • 0x2225c:$j: #=q
    • 0x2228c:$j: #=q
    • 0x222a8:$j: #=q
    • 0x222c4:$j: #=q
    • 0x222f4:$j: #=q
    • 0x22310:$j: #=q
    Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10dff2:$x1: NanoCore.ClientPluginHost
    • 0x10e053:$x2: IClientNetworkHost
    • 0x113458:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x1213ca:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 2 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1d9e5:$x1: NanoCore.ClientPluginHost
    • 0x1da22:$x2: IClientNetworkHost
    • 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1d75d:$x1: NanoCore Client.exe
    • 0x1d9e5:$x2: NanoCore.ClientPluginHost
    • 0x1f01e:$s1: PluginCommand
    • 0x1f012:$s2: FileCommand
    • 0x1fec3:$s3: PipeExists
    • 0x25c7a:$s4: PipeCreated
    • 0x1da0f:$s5: IClientLoggingHost
    0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x1d74d:$a: NanoCore
      • 0x1d75d:$a: NanoCore
      • 0x1d991:$a: NanoCore
      • 0x1d9a5:$a: NanoCore
      • 0x1d9e5:$a: NanoCore
      • 0x1d7ac:$b: ClientPlugin
      • 0x1d9ae:$b: ClientPlugin
      • 0x1d9ee:$b: ClientPlugin
      • 0x1d8d3:$c: ProjectData
      • 0x1e2da:$d: DESCrypto
      • 0x25ca6:$e: KeepAlive
      • 0x23c94:$g: LogClientMessage
      • 0x1fe8f:$i: get_Connected
      • 0x1e610:$j: #=q
      • 0x1e640:$j: #=q
      • 0x1e65c:$j: #=q
      • 0x1e68c:$j: #=q
      • 0x1e6a8:$j: #=q
      • 0x1e6c4:$j: #=q
      • 0x1e6f4:$j: #=q
      • 0x1e710:$j: #=q
      0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x215e5:$x1: NanoCore.ClientPluginHost
      • 0x21622:$x2: IClientNetworkHost
      • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 3 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe, ProcessId: 4420, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exeAvira: detected
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exeJoe Sandbox ML: detected
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.410135152.0000000006773000.00000004.00000001.sdmp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49716 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49721 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49760 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49764 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49767 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49768 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49769 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49770 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49771 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49772 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49773 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49774 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49775 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49776 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49777 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49778 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49779 -> 45.138.49.96:9999
      Source: global trafficTCP traffic: 192.168.2.3:49716 -> 45.138.49.96:9999
      Source: Joe Sandbox ViewASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000002.242332679.00000000008AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D2B6500_2_00D2B650
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D2A8790_2_00D2A879
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D246100_2_00D24610
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D297000_2_00D29700
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D2CC360_2_00D2CC36
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.239929756.000000001A496000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.248234831.000000000674B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/4@0/1
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D30000 EntryPoint,FindResourceW,LoadResource,VirtualProtect,EnumLanguageGroupLocalesW,0_2_00D30000
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c9506c35-7fc9-4302-a06c-3e362d7043e7}
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeFile read: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' Jump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.410135152.0000000006773000.00000004.00000001.sdmp
      Source: initial sampleStatic PE information: section where entry point is pointing to: .stub
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: section name: .code
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: section name: .stub
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D21000 push eax; ret 0_2_00D2102E

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeFile opened: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWindow / User API: threadDelayed 5591Jump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWindow / User API: threadDelayed 2861Jump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWindow / User API: foregroundWindowGot 626Jump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWindow / User API: foregroundWindowGot 790Jump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe TID: 6232Thread sleep time: -7378697629483816s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D2F270 mov eax, dword ptr fs:[00000030h]0_2_00D2F270
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_006FF669 mov eax, dword ptr fs:[00000030h]0_2_006FF669
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_006FF6CC mov eax, dword ptr fs:[00000030h]0_2_006FF6CC
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_006FF62C mov eax, dword ptr fs:[00000030h]0_2_006FF62C
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_006FEDB6 mov eax, dword ptr fs:[00000030h]0_2_006FEDB6
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_006FF80D mov eax, dword ptr fs:[00000030h]0_2_006FF80D
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D2F3F0 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,0_2_00D2F3F0
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeSection loaded: unknown target: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' Jump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.248234831.000000000674B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection111Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 337281