Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report BFSV-1F(N)_1B-8B_ANSI.exe

Overview

General Information

Sample Name:BFSV-1F(N)_1B-8B_ANSI.exe
Analysis ID:337281
MD5:36f13aad903e851544fe137feca3435b
SHA1:776d3d7e39a8b3e72e2e9b5c36a615e3157d05ad
SHA256:41617ac4431c229ba27bf94617b465309e7f502ae5088cd12ee571a0428ea120
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 5932 cmdline: 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' MD5: 36F13AAD903E851544FE137FECA3435B)
    • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 4420 cmdline: 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' MD5: 36F13AAD903E851544FE137FECA3435B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x215e5:$x1: NanoCore.ClientPluginHost
  • 0x21622:$x2: IClientNetworkHost
  • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x2135d:$x1: NanoCore Client.exe
  • 0x215e5:$x2: NanoCore.ClientPluginHost
  • 0x22c1e:$s1: PluginCommand
  • 0x22c12:$s2: FileCommand
  • 0x23ac3:$s3: PipeExists
  • 0x2987a:$s4: PipeCreated
  • 0x2160f:$s5: IClientLoggingHost
00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2134d:$a: NanoCore
    • 0x2135d:$a: NanoCore
    • 0x21591:$a: NanoCore
    • 0x215a5:$a: NanoCore
    • 0x215e5:$a: NanoCore
    • 0x213ac:$b: ClientPlugin
    • 0x215ae:$b: ClientPlugin
    • 0x215ee:$b: ClientPlugin
    • 0x214d3:$c: ProjectData
    • 0x21eda:$d: DESCrypto
    • 0x298a6:$e: KeepAlive
    • 0x27894:$g: LogClientMessage
    • 0x23a8f:$i: get_Connected
    • 0x22210:$j: #=q
    • 0x22240:$j: #=q
    • 0x2225c:$j: #=q
    • 0x2228c:$j: #=q
    • 0x222a8:$j: #=q
    • 0x222c4:$j: #=q
    • 0x222f4:$j: #=q
    • 0x22310:$j: #=q
    Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10dff2:$x1: NanoCore.ClientPluginHost
    • 0x10e053:$x2: IClientNetworkHost
    • 0x113458:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x1213ca:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 2 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1d9e5:$x1: NanoCore.ClientPluginHost
    • 0x1da22:$x2: IClientNetworkHost
    • 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1d75d:$x1: NanoCore Client.exe
    • 0x1d9e5:$x2: NanoCore.ClientPluginHost
    • 0x1f01e:$s1: PluginCommand
    • 0x1f012:$s2: FileCommand
    • 0x1fec3:$s3: PipeExists
    • 0x25c7a:$s4: PipeCreated
    • 0x1da0f:$s5: IClientLoggingHost
    0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x1d74d:$a: NanoCore
      • 0x1d75d:$a: NanoCore
      • 0x1d991:$a: NanoCore
      • 0x1d9a5:$a: NanoCore
      • 0x1d9e5:$a: NanoCore
      • 0x1d7ac:$b: ClientPlugin
      • 0x1d9ae:$b: ClientPlugin
      • 0x1d9ee:$b: ClientPlugin
      • 0x1d8d3:$c: ProjectData
      • 0x1e2da:$d: DESCrypto
      • 0x25ca6:$e: KeepAlive
      • 0x23c94:$g: LogClientMessage
      • 0x1fe8f:$i: get_Connected
      • 0x1e610:$j: #=q
      • 0x1e640:$j: #=q
      • 0x1e65c:$j: #=q
      • 0x1e68c:$j: #=q
      • 0x1e6a8:$j: #=q
      • 0x1e6c4:$j: #=q
      • 0x1e6f4:$j: #=q
      • 0x1e710:$j: #=q
      0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x215e5:$x1: NanoCore.ClientPluginHost
      • 0x21622:$x2: IClientNetworkHost
      • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 3 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe, ProcessId: 4420, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exeAvira: detected
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exeJoe Sandbox ML: detected
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.410135152.0000000006773000.00000004.00000001.sdmp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49716 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49721 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49760 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49764 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49767 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49768 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49769 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49770 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49771 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49772 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49773 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49774 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49775 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49776 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49777 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49778 -> 45.138.49.96:9999
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49779 -> 45.138.49.96:9999
      Source: global trafficTCP traffic: 192.168.2.3:49716 -> 45.138.49.96:9999
      Source: Joe Sandbox ViewASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.49.96
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000002.242332679.00000000008AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D2B650
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D2A879
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D24610
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D29700
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D2CC36
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.239929756.000000001A496000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.248234831.000000000674B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/4@0/1
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D30000 EntryPoint,FindResourceW,LoadResource,VirtualProtect,EnumLanguageGroupLocalesW,
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c9506c35-7fc9-4302-a06c-3e362d7043e7}
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeFile read: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.236111484.000000001A330000.00000004.00000001.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.410135152.0000000006773000.00000004.00000001.sdmp
      Source: initial sampleStatic PE information: section where entry point is pointing to: .stub
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: section name: .code
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: section name: .stub
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D21000 push eax; ret

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeFile opened: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWindow / User API: threadDelayed 5591
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWindow / User API: threadDelayed 2861
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWindow / User API: foregroundWindowGot 626
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWindow / User API: foregroundWindowGot 790
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe TID: 6232Thread sleep time: -7378697629483816s >= -30000s
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D2F270 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_006FF669 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_006FF6CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_006FF62C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_006FEDB6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_006FF80D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00D2F3F0 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeSection loaded: unknown target: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000001.00000003.248234831.000000000674B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932, type: MEMORY
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d40000.2.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection111Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      BFSV-1F(N)_1B-8B_ANSI.exe100%AviraTR/Crypt.XPACK.Gen
      BFSV-1F(N)_1B-8B_ANSI.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d20000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      0.0.BFSV-1F(N)_1B-8B_ANSI.exe.d20000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      1.0.BFSV-1F(N)_1B-8B_ANSI.exe.d20000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      45.138.49.96
      		unknownGermany
      		61317ASDETUKhttpwwwheficedcomGBtrue

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:337281
      Start date:08.01.2021
      Start time:09:23:02
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 7m 20s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:BFSV-1F(N)_1B-8B_ANSI.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:34
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@3/4@0/1
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 1% (good quality ratio 0%)
      • Quality average: 0%
      • Quality standard deviation: 0%
      HCA Information:Failed
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • TCP Packets have been reduced to 100
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, SgrmBroker.exe, svchost.exe, UsoClient.exe, wuapihost.exe
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      09:24:10API Interceptor1454x Sleep call for process: BFSV-1F(N)_1B-8B_ANSI.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      45.138.49.96ts1593782194000000.exeGet hashmaliciousBrowse

        Domains

        No context

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        ASDETUKhttpwwwheficedcomGBts1593782194000000.exeGet hashmaliciousBrowse
        • 45.138.49.96
        https://mysp.ac/WJKWebxcAX/../4lj3C#fCfAXmrBDFsvHupFQHQULbmkQvYGet hashmaliciousBrowse
        • 181.214.121.98
        https://storage.googleapis.com/hjjdkkejsdido/ar.htmlGet hashmaliciousBrowse
        • 181.214.121.98
        SecuriteInfo.com.Variant.Bulz.286556.17709.exeGet hashmaliciousBrowse
        • 191.96.184.151
        https://00000000.rdtk.io/5fea58f1588f49000120c69f?thru=thru2Get hashmaliciousBrowse
        • 154.16.134.180
        http://p4fxv.info/D3c2Hp2HMIGet hashmaliciousBrowse
        • 154.16.134.180
        http://p4fxv.info/D3c2Hp2HMIGet hashmaliciousBrowse
        • 154.16.134.180
        https://uwvhagmjgz.objects-us-east-1.dream.io/1.html#qs=r-acacaegfhckeadkfkgjejaejcckabababadhadbfaccadieacjjkagggbcacbGet hashmaliciousBrowse
        • 154.16.134.180
        Requestforprices..xlsxGet hashmaliciousBrowse
        • 181.214.31.82
        SecuriteInfo.com.Trojan.BtcMine.3311.17146.exeGet hashmaliciousBrowse
        • 181.214.59.30
        Shipping_Details.exeGet hashmaliciousBrowse
        • 181.214.142.116
        zSPIyck1p9.exeGet hashmaliciousBrowse
        • 181.214.142.116
        Shipping_Details.exeGet hashmaliciousBrowse
        • 181.214.142.116
        qkN4OZWFG6.exeGet hashmaliciousBrowse
        • 154.16.46.128
        kvdYhqN3Nh.exeGet hashmaliciousBrowse
        • 154.16.46.128
        rJz6SePuqu.dllGet hashmaliciousBrowse
        • 191.96.108.132
        Inv_RM55024.exeGet hashmaliciousBrowse
        • 181.214.142.131
        Receipt.exeGet hashmaliciousBrowse
        • 181.214.142.131
        3yhnaDfaxn.exeGet hashmaliciousBrowse
        • 154.16.46.128
        file 010.20.docGet hashmaliciousBrowse
        • 45.150.64.102

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
        Process:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
        File Type:data
        Category:dropped
        Size (bytes):1392
        Entropy (8bit):7.024371743172393
        Encrypted:false
        SSDEEP:24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUt4:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/f
        MD5:E78C6686C5A1A9CB0724F84DEA9A75F0
        SHA1:80E61D5BDC7AF293362024781DA66BEA9D370FF9
        SHA-256:FBE0B513511C00AC3B7169E1BCFB675CFD708B249365D724269C23FAC1184967
        SHA-512:FF3835238CAEA26D8800B56901AB962ACD2FA390F955C4A8A15B5817AAB7642D105538CF63938D218567501477FB4B23C2834F22CBC8BA0002C7BCACB2875637
        Malicious:false
        Reputation:low
        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Process:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
        File Type:ISO-8859 text, with no line terminators
        Category:dropped
        Size (bytes):8
        Entropy (8bit):3.0
        Encrypted:false
        SSDEEP:3:nvt:n1
        MD5:3F3CD5C288B64A7072F09AC01296FBC4
        SHA1:E46242146BEBEFF9D2FF11B8C187518025E4E182
        SHA-256:35943387C3ACAE14B8EE9FA76521D176C82DEB8F1BA2EDDB1F3BDCFF2863236B
        SHA-512:A02091D483EB31B5590C522B6AD3192134BD1C3BED2D53ACAB699579EF4A6B882547006D443289B0CEDBEA6C0BC94CF2A596120F71E0C9FB7137C187F7F30CAC
        Malicious:true
        Reputation:low
        Preview: ...5...H
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
        Process:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
        File Type:data
        Category:dropped
        Size (bytes):40
        Entropy (8bit):5.153055907333276
        Encrypted:false
        SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
        MD5:4E5E92E2369688041CC82EF9650EDED2
        SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
        SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
        SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
        Process:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
        File Type:data
        Category:dropped
        Size (bytes):327432
        Entropy (8bit):7.99938831605763
        Encrypted:true
        SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
        MD5:7E8F4A764B981D5B82D1CC49D341E9C6
        SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
        SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
        SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.860141249668034
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:BFSV-1F(N)_1B-8B_ANSI.exe
        File size:346624
        MD5:36f13aad903e851544fe137feca3435b
        SHA1:776d3d7e39a8b3e72e2e9b5c36a615e3157d05ad
        SHA256:41617ac4431c229ba27bf94617b465309e7f502ae5088cd12ee571a0428ea120
        SHA512:77a68e34a1bbf2360f8473368a0e3fd9c54567477a29561980851b82bd8ac1655919a109d6d4456a67bd633ef436fcf4697fc77d17e03e701d36ee7b82f296e6
        SSDEEP:6144:cvnifsw4lp4UlclMNJO2OOZNYQjJntWar4u0PYlcf2ELdYyfHwgF2r2QQvipF:snL3lklmOkYstWa/7cfNLyR2kF
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.3.g.]Ug.]Ug.]U..\Tv.]Ug.\UN.]U..SUf.]U..YTf.]U...Uf.]U.._Tf.]URichg.]U........PE..L......_...................................

        File Icon

        Icon Hash:74f4c4ccccd4d0d4

        Static PE Info

        General

        Entrypoint:0x410000
        Entrypoint Section:.stub
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Time Stamp:0x5FF7808C [Thu Jan 7 21:43:40 2021 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:6a01311f3b93e75b0932a2018ac2171e

        Entrypoint Preview

        Instruction
        push ebp
        mov ebp, esp
        mov eax, 00001A30h
        call 00007FC2FCA2FBC8h
        call 00007FC2FCA3DE33h
        mov dword ptr [ebp-0Ch], eax
        call 00007FC2FCA3DFABh
        push 0000000Ah
        push 004100D4h
        push 00000000h
        call dword ptr [00403024h]
        mov dword ptr [ebp-04h], eax
        mov eax, dword ptr [ebp-04h]
        push eax
        push 00000000h
        call dword ptr [00403010h]
        mov dword ptr [ebp-08h], eax
        push 00001A05h
        mov ecx, dword ptr [ebp-08h]
        push ecx
        lea edx, dword ptr [ebp-00001A30h]
        push edx
        call 00007FC2FCA3DF15h
        mov ecx, 00000000h
        mov al, byte ptr [ebp+ecx-00001A30h]
        cmp ecx, 00001A05h
        je 00007FC2FCA3EC02h
        xor al, A3h
        dec al
        sub al, A3h
        inc al
        add al, A7h
        dec al
        add al, 40h
        sub al, 8Bh
        add al, 72h
        xor al, ADh
        sub al, E1h
        add al, D6h
        dec al
        xor al, 99h
        sub al, C3h
        inc al
        add al, 28h
        add al, F0h
        mov byte ptr [ebp+ecx-00001A30h], al
        add ecx, 01h
        jmp 00007FC2FCA3EB93h
        mov al, 00h
        mov ecx, 00000000h
        lea eax, dword ptr [ebp-10h]
        push eax
        push 00000040h
        push 00001A05h
        lea ecx, dword ptr [ebp-00001A30h]
        push ecx
        call dword ptr [00403014h]
        push 00000000h
        push 00000000h
        push 00000002h
        lea edx, dword ptr [ebp-00001A30h]
        push edx
        call dword ptr [00403020h]
        lea eax, dword ptr [ebp+00h]

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x30c40xb4.idata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x4138.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000x80.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x20000x1c.data
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x30000xc4.idata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x15a0x200False0.42578125data3.57394794431IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .data0x20000x1500x200False0.37890625data2.5909148946IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .idata0x30000x5760x600False0.486328125data4.62959328748IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .code0x40000xb4540xb600False0.499291723901data5.38349156704IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .stub0x100000xe60x200False0.40625data3.07398255133IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .rsrc0x110000x41380x4200False0.817412405303data7.56696464821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x160000x800x200False0.26953125data1.68689486927IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_ICON0x111000x2615PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
        RT_RCDATA0x137300x1a05dataEnglishUnited States
        RT_GROUP_ICON0x137180x14dataEnglishUnited States

        Imports

        DLLImport
        KERNEL32.dllLoadResource, VirtualProtect, GetProcessHeap, HeapAlloc, EnumLanguageGroupLocalesW, FindResourceW
        wsnmp32.dll
        COMDLG32.dllChooseFontW, ReplaceTextA, PrintDlgA
        SETUPAPI.dllSetupOpenMasterInf, SetupDiCreateDeviceInfoListExA, SetupDiGetDeviceInfoListDetailW, SetupQueryDrivesInDiskSpaceListW, SetupDiCancelDriverInfoSearch, SetupQueryFileLogA
        ole32.dllOleCreateEmbeddingHelper, DllGetClassObjectWOW, OleGetIconOfFile, OleQueryLinkFromData, HWND_UserSize
        WINSPOOL.DRVFindNextPrinterChangeNotification, DeletePrinterDriverA, DeletePrinterDataW, DocumentPropertiesA, EnumPrinterDataExA, AddFormA
        SHLWAPI.dllSHRegGetBoolUSValueW, StrSpnA, StrRChrIA, SHDeleteEmptyKeyW, UrlEscapeW
        loadperf.dllUnloadPerfCounterTextStringsA, LoadPerfCounterTextStringsA

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        01/08/21-09:24:11.140705TCP2025019ET TROJAN Possible NanoCore C2 60B497169999192.168.2.345.138.49.96
        01/08/21-09:24:17.902668TCP2025019ET TROJAN Possible NanoCore C2 60B497219999192.168.2.345.138.49.96
        01/08/21-09:24:25.388192TCP2025019ET TROJAN Possible NanoCore C2 60B497289999192.168.2.345.138.49.96
        01/08/21-09:24:31.278859TCP2025019ET TROJAN Possible NanoCore C2 60B497359999192.168.2.345.138.49.96
        01/08/21-09:24:37.425775TCP2025019ET TROJAN Possible NanoCore C2 60B497369999192.168.2.345.138.49.96
        01/08/21-09:24:44.986569TCP2025019ET TROJAN Possible NanoCore C2 60B497389999192.168.2.345.138.49.96
        01/08/21-09:24:51.260108TCP2025019ET TROJAN Possible NanoCore C2 60B497409999192.168.2.345.138.49.96
        01/08/21-09:24:58.098409TCP2025019ET TROJAN Possible NanoCore C2 60B497499999192.168.2.345.138.49.96
        01/08/21-09:25:03.147692TCP2025019ET TROJAN Possible NanoCore C2 60B497539999192.168.2.345.138.49.96
        01/08/21-09:25:09.262215TCP2025019ET TROJAN Possible NanoCore C2 60B497599999192.168.2.345.138.49.96
        01/08/21-09:25:15.224134TCP2025019ET TROJAN Possible NanoCore C2 60B497609999192.168.2.345.138.49.96
        01/08/21-09:25:21.269898TCP2025019ET TROJAN Possible NanoCore C2 60B497619999192.168.2.345.138.49.96
        01/08/21-09:25:27.242753TCP2025019ET TROJAN Possible NanoCore C2 60B497629999192.168.2.345.138.49.96
        01/08/21-09:25:33.237074TCP2025019ET TROJAN Possible NanoCore C2 60B497639999192.168.2.345.138.49.96
        01/08/21-09:25:39.241771TCP2025019ET TROJAN Possible NanoCore C2 60B497649999192.168.2.345.138.49.96
        01/08/21-09:25:45.227980TCP2025019ET TROJAN Possible NanoCore C2 60B497679999192.168.2.345.138.49.96
        01/08/21-09:25:51.238341TCP2025019ET TROJAN Possible NanoCore C2 60B497689999192.168.2.345.138.49.96
        01/08/21-09:25:57.259892TCP2025019ET TROJAN Possible NanoCore C2 60B497699999192.168.2.345.138.49.96
        01/08/21-09:26:03.246907TCP2025019ET TROJAN Possible NanoCore C2 60B497709999192.168.2.345.138.49.96
        01/08/21-09:26:09.229937TCP2025019ET TROJAN Possible NanoCore C2 60B497719999192.168.2.345.138.49.96
        01/08/21-09:26:15.229234TCP2025019ET TROJAN Possible NanoCore C2 60B497729999192.168.2.345.138.49.96
        01/08/21-09:26:21.249433TCP2025019ET TROJAN Possible NanoCore C2 60B497739999192.168.2.345.138.49.96
        01/08/21-09:26:27.232176TCP2025019ET TROJAN Possible NanoCore C2 60B497749999192.168.2.345.138.49.96
        01/08/21-09:26:34.829754TCP2025019ET TROJAN Possible NanoCore C2 60B497759999192.168.2.345.138.49.96
        01/08/21-09:26:41.886345TCP2025019ET TROJAN Possible NanoCore C2 60B497769999192.168.2.345.138.49.96
        01/08/21-09:26:47.983092TCP2025019ET TROJAN Possible NanoCore C2 60B497779999192.168.2.345.138.49.96
        01/08/21-09:26:54.327113TCP2025019ET TROJAN Possible NanoCore C2 60B497789999192.168.2.345.138.49.96
        01/08/21-09:27:02.343670TCP2025019ET TROJAN Possible NanoCore C2 60B497799999192.168.2.345.138.49.96

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jan 8, 2021 09:24:11.053262949 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.093405008 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.095838070 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.140705109 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.185173035 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.194889069 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.235156059 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.257477999 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.317126989 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.340390921 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.340504885 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.340545893 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.340631008 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.340713024 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.340735912 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.380659103 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.380758047 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.380801916 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.380870104 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.380924940 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.380947113 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.380964041 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.380986929 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.381031036 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.381095886 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.381148100 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.381150961 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.392416000 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421037912 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421087027 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421143055 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421180010 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421191931 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421211004 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421227932 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421267033 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421278000 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421282053 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421324015 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421365023 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421375990 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421380997 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421422005 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421456099 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421495914 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421541929 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421547890 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421546936 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421590090 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421642065 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421643972 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421648026 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421700954 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421741962 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421768904 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421817064 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.421868086 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.421875954 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.457406044 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.461874962 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.461918116 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.461977005 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462019920 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462064981 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462124109 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.462148905 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462166071 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.462213039 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462255001 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462316990 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.462321043 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.462332010 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462393999 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462450027 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462503910 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462569952 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462591887 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.462598085 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.462652922 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462696075 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462748051 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462784052 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462795019 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.462800026 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.462832928 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462871075 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462928057 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.462985039 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.462989092 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.463010073 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.463052034 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.463104010 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.463151932 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.463212013 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.463274002 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.463273048 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.463279009 CET497169999192.168.2.345.138.49.96
        Jan 8, 2021 09:24:11.463323116 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.463383913 CET99994971645.138.49.96192.168.2.3
        Jan 8, 2021 09:24:11.463416100 CET497169999192.168.2.345.138.49.96

        Code Manipulations

        Statistics

        Behavior

        Click to jump to process

        System Behavior

        Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5932 Parent PID: 5596

        General

        Start time:09:24:03
        Start date:08/01/2021
        Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
        Imagebase:0xd20000
        File size:346624 bytes
        MD5 hash:36F13AAD903E851544FE137FECA3435B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.242826392.0000000000D40000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Reputation:low

        Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4420 Parent PID: 5932

        General

        Start time:09:24:05
        Start date:08/01/2021
        Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
        Imagebase:0xd20000
        File size:346624 bytes
        MD5 hash:36F13AAD903E851544FE137FECA3435B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:low

        Disassembly

        Code Analysis

        Reset < >