Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT COPY.exe

Overview

General Information

Sample Name:PAYMENT COPY.exe
Analysis ID:356453
MD5:53e8c460446fe305dfc2159961aa6234
SHA1:bbebce3965dfc237eac2711a47c141a4f8ff0083
SHA256:b082aa828dd2eb42d6e1de8ccd8573ac3096ceee92ad26449fc1df6e490ff4ed
Tags:exeNanoCoreRATSCB

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PAYMENT COPY.exe (PID: 6392 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
    • PAYMENT COPY.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
      • schtasks.exe (PID: 6532 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6596 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • PAYMENT COPY.exe (PID: 6612 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
    • PAYMENT COPY.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
  • dhcpmon.exe (PID: 6744 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
  • dhcpmon.exe (PID: 5932 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
    • dhcpmon.exe (PID: 2896 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x29615:$x1: NanoCore.ClientPluginHost
  • 0x29652:$x2: IClientNetworkHost
  • 0x2d185:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2738:$a: NanoCore
    • 0x2937d:$a: NanoCore
    • 0x2938d:$a: NanoCore
    • 0x295c1:$a: NanoCore
    • 0x295d5:$a: NanoCore
    • 0x29615:$a: NanoCore
    • 0x293dc:$b: ClientPlugin
    • 0x295de:$b: ClientPlugin
    • 0x2961e:$b: ClientPlugin
    • 0x5fe50:$b: ClientPlugin
    • 0x79f06:$b: ClientPlugin
    • 0x29503:$c: ProjectData
    • 0x29f0a:$d: DESCrypto
    • 0x318d6:$e: KeepAlive
    • 0x2f8c4:$g: LogClientMessage
    • 0x2babf:$i: get_Connected
    • 0x2a240:$j: #=q
    • 0x2a270:$j: #=q
    • 0x2a28c:$j: #=q
    • 0x2a2bc:$j: #=q
    • 0x2a2d8:$j: #=q
    00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    Click to see the 113 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.PAYMENT COPY.exe.780000.16.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5fee:$x1: NanoCore.ClientPluginHost
    • 0x602b:$x2: IClientNetworkHost
    1.2.PAYMENT COPY.exe.780000.16.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x5fee:$x2: NanoCore.ClientPluginHost
    • 0x9441:$s4: PipeCreated
    • 0x6018:$s5: IClientLoggingHost
    1.2.PAYMENT COPY.exe.27b2a64.22.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1deb:$x1: NanoCore.ClientPluginHost
    • 0x1e24:$x2: IClientNetworkHost
    1.2.PAYMENT COPY.exe.27b2a64.22.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1deb:$x2: NanoCore.ClientPluginHost
    • 0x1f36:$s4: PipeCreated
    • 0x1e05:$s5: IClientLoggingHost
    1.2.PAYMENT COPY.exe.400000.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x251e5:$x1: NanoCore.ClientPluginHost
    • 0x25222:$x2: IClientNetworkHost
    • 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe