Loading ...

Play interactive tourEdit tour

Analysis Report CHEQUE COPY.exe


General Information

Sample Name:CHEQUE COPY.exe
Analysis ID:355626

Most interesting Screenshot:


Range:0 - 100


Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match



  • System is w10x64
  • CHEQUE COPY.exe (PID: 6828 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY.exe' MD5: EC067B73F3156AEDBD9158F107952EB8)
    • CHEQUE COPY.exe (PID: 6924 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY.exe' MD5: EC067B73F3156AEDBD9158F107952EB8)
      • schtasks.exe (PID: 7096 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 7148 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp811A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • CHEQUE COPY.exe (PID: 6200 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY.exe' 0 MD5: EC067B73F3156AEDBD9158F107952EB8)
    • CHEQUE COPY.exe (PID: 5852 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY.exe' 0 MD5: EC067B73F3156AEDBD9158F107952EB8)
  • dhcpmon.exe (PID: 6116 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: EC067B73F3156AEDBD9158F107952EB8)
    • dhcpmon.exe (PID: 6356 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: EC067B73F3156AEDBD9158F107952EB8)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

0000000F.00000002.688775764.00000000026C0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0x1c85b:$a: NanoCore
  • 0x1c8b4:$a: NanoCore
  • 0x1c8f1:$a: NanoCore
  • 0x1c96a:$a: NanoCore
  • 0x1c8bd:$b: ClientPlugin
  • 0x1c8fa:$b: ClientPlugin
  • 0x1d1f8:$b: ClientPlugin
  • 0x1d205:$b: ClientPlugin
  • 0x129df:$e: KeepAlive
  • 0x1cd45:$g: LogClientMessage
  • 0x1ccc5:$i: get_Connected
  • 0xcc91:$j: #=q
  • 0xccc1:$j: #=q
  • 0xccfd:$j: #=q
  • 0xcd25:$j: #=q
  • 0xcd55:$j: #=q
  • 0xcd85:$j: #=q
  • 0xcdb5:$j: #=q
  • 0xcde5:$j: #=q
  • 0xce01:$j: #=q
  • 0xce31:$j: #=q
0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x43195:$a: NanoCore
    • 0x431ee:$a: NanoCore
    • 0x4322b:$a: NanoCore
    • 0x432a4:$a: NanoCore
    • 0x5694f:$a: NanoCore
    • 0x56964:$a: NanoCore
    • 0x56999:$a: NanoCore
    • 0x6f95b:$a: NanoCore
    • 0x6f970:$a: NanoCore
    • 0x6f9a5:$a: NanoCore
    • 0x431f7:$b: ClientPlugin
    • 0x43234:$b: ClientPlugin
    • 0x43b32:$b: ClientPlugin
    • 0x43b3f:$b: ClientPlugin
    • 0x5670b:$b: ClientPlugin
    • 0x56726:$b: ClientPlugin
    • 0x56756:$b: ClientPlugin
    • 0x5696d:$b: ClientPlugin
    • 0x569a2:$b: ClientPlugin
    • 0x6f717:$b: ClientPlugin
    • 0x6f732:$b: ClientPlugin
    0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x146bd:$x1: NanoCore.ClientPluginHost
    • 0x146fa:$x2: IClientNetworkHost
    • 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 109 entries

      Unpacked PEs

      10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        11.2.CHEQUE COPY.exe.415058.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe