Loading ...

Play interactive tourEdit tour

Analysis Report 256ec8f8f67b59c5e085b0bb63afcd13.exe

Overview

General Information

Sample Name:256ec8f8f67b59c5e085b0bb63afcd13.exe
Analysis ID:355753
MD5:0bbcc2e64e3edf053ed4af2c0bafb0eb
SHA1:c006b8d2ec4b92f441815b20f1bdadf98eab1b4d
SHA256:52d01903f7c366e01359a00ea771ca1f71d4e1bb54731290bc62c3a218f5af80
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 256ec8f8f67b59c5e085b0bb63afcd13.exe (PID: 6720 cmdline: 'C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe' MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
    • 256ec8f8f67b59c5e085b0bb63afcd13.exe (PID: 6416 cmdline: {path} MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
      • schtasks.exe (PID: 6540 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6632 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA082.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 2460 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
    • dhcpmon.exe (PID: 6500 cmdline: {path} MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
  • dhcpmon.exe (PID: 7160 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
    • dhcpmon.exe (PID: 5748 cmdline: {path} MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.orgbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x23877:$a: NanoCore
    • 0x238d0:$a: NanoCore
    • 0x2390d:$a: NanoCore
    • 0x23986:$a: NanoCore
    • 0x238d9:$b: ClientPlugin
    • 0x23916:$b: ClientPlugin
    • 0x24214:$b: ClientPlugin
    • 0x24221:$b: ClientPlugin
    • 0x1b5fe:$e: KeepAlive
    • 0x23d61:$g: LogClientMessage
    • 0x23ce1:$i: get_Connected
    • 0x158a9:$j: #=q
    • 0x158d9:$j: #=q
    • 0x15915:$j: #=q
    • 0x1593d:$j: #=q
    • 0x1596d:$j: #=q
    • 0x1599d:$j: #=q
    • 0x159cd:$j: #=q
    • 0x159fd:$j: #=q
    • 0x15a19:$j: #=q
    • 0x15a49:$j: #=q
    00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x23761d:$x1: NanoCore.ClientPluginHost
    • 0x26a03d:$x1: NanoCore.ClientPluginHost
    • 0x23765a:$x2: IClientNetworkHost
    • 0x26a07a:$x2: IClientNetworkHost
    • 0x23b18d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x26dbad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x237385:$a: NanoCore
      • 0x237395:$a: NanoCore
      • 0x2375c9:$a: NanoCore
      • 0x2375dd:$a: NanoCore
      • 0x23761d:$a: NanoCore
      • 0x269da5:$a: NanoCore
      • 0x269db5:$a: NanoCore
      • 0x269fe9:$a: NanoCore
      • 0x269ffd:$a: NanoCore
      • 0x26a03d:$a: NanoCore
      • 0x2373e4:$b: ClientPlugin
      • 0x2375e6:$b: ClientPlugin
      • 0x237626:$b: ClientPlugin
      • 0x269e04:$b: ClientPlugin
      • 0x26a006:$b: ClientPlugin
      • 0x26a046:$b: ClientPlugin
      • 0x1835a1:$c: ProjectData
      • 0x23750b:$c: ProjectData
      • 0x269f2b:$c: ProjectData
      • 0x237f12:$d: DESCrypto
      • 0x26a932:$d: DESCrypto
      Click to see the 62 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      14.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      14.2.dhcpmon.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        14.2.dhcpmon.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        Click to see the 122 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe, ProcessId: 6416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe, ParentProcessId: 6416, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp', ProcessId: 6540

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.orgbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5748, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2460, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6500, type: MEMORY
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ffeab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.46f8490.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43beab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.45fffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43c30dd.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ffeab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3d78490.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.40030dd.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43beab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeJoe Sandbox ML: detected
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpackAvira: Label: TR/NanoCore.fadte
        Source: 12.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Uses new MSVCR DllsShow sources
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.904860246.0000000002A85000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.680575404.0000000008770000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907073740.0000000005920000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.717914840.00000000082E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724995186.00000000076E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.734162357.0000000008310000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 4x nop then lea ecx, dword ptr [ebp-30h]0_2_05470608
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 4x nop then lea ecx, dword ptr [ebp-30h]7_2_055C0608
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then lea ecx, dword ptr [ebp-30h]8_2_02560608
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then lea ecx, dword ptr [ebp-30h]10_2_017F0608

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: cloudhost.myfirewall.org
        Source: global trafficTCP traffic: 192.168.2.4:49743 -> 79.134.225.105:5654
        Source: Joe Sandbox ViewIP Address: 79.134.225.105 79.134.225.105
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: unknownDNS traffic detected: queries for: cloudhost.myfirewall.org
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002