Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT COPY.exe


General Information

Sample Name:PAYMENT COPY.exe
Analysis ID:356453

Most interesting Screenshot:


Range:0 - 100


Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match



  • System is w10x64
  • PAYMENT COPY.exe (PID: 6392 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
    • PAYMENT COPY.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
      • schtasks.exe (PID: 6532 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6596 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • PAYMENT COPY.exe (PID: 6612 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
    • PAYMENT COPY.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
  • dhcpmon.exe (PID: 6744 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
  • dhcpmon.exe (PID: 5932 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
    • dhcpmon.exe (PID: 2896 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x29615:$x1: NanoCore.ClientPluginHost
  • 0x29652:$x2: IClientNetworkHost
  • 0x2d185:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2738:$a: NanoCore
    • 0x2937d:$a: NanoCore
    • 0x2938d:$a: NanoCore
    • 0x295c1:$a: NanoCore
    • 0x295d5:$a: NanoCore
    • 0x29615:$a: NanoCore
    • 0x293dc:$b: ClientPlugin
    • 0x295de:$b: ClientPlugin
    • 0x2961e:$b: ClientPlugin
    • 0x5fe50:$b: ClientPlugin
    • 0x79f06:$b: ClientPlugin
    • 0x29503:$c: ProjectData
    • 0x29f0a:$d: DESCrypto
    • 0x318d6:$e: KeepAlive
    • 0x2f8c4:$g: LogClientMessage
    • 0x2babf:$i: get_Connected
    • 0x2a240:$j: #=q
    • 0x2a270:$j: #=q
    • 0x2a28c:$j: #=q
    • 0x2a2bc:$j: #=q
    • 0x2a2d8:$j: #=q
    00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    Click to see the 113 entries

    Unpacked PEs

    1.2.PAYMENT COPY.exe.780000.16.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5fee:$x1: NanoCore.ClientPluginHost
    • 0x602b:$x2: IClientNetworkHost
    1.2.PAYMENT COPY.exe.780000.16.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x5fee:$x2: NanoCore.ClientPluginHost
    • 0x9441:$s4: PipeCreated
    • 0x6018:$s5: IClientLoggingHost
    1.2.PAYMENT COPY.exe.27b2a64.22.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1deb:$x1: NanoCore.ClientPluginHost
    • 0x1e24:$x2: IClientNetworkHost
    1.2.PAYMENT COPY.exe.27b2a64.22.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1deb:$x2: NanoCore.ClientPluginHost
    • 0x1f36:$s4: PipeCreated
    • 0x1e05:$s5: IClientLoggingHost
    1.2.PAYMENT COPY.exe.400000.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x251e5:$x1: NanoCore.ClientPluginHost
    • 0x25222:$x2: IClientNetworkHost
    • 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe