Loading ...

Play interactive tourEdit tour

Analysis Report hbvo9thTAX.exe

Overview

General Information

Sample Name:hbvo9thTAX.exe
Analysis ID:381486
MD5:0d646c6e6c2666f24b9e65cd1322fa86
SHA1:9e7bfc67a55d697ec2dc7779737e4bc4793fcce8
SHA256:cb19133e564f301e0b3bcba9f0cd81dd21ab65aaf5a4d506c29e70159b2c26bc
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • hbvo9thTAX.exe (PID: 5108 cmdline: 'C:\Users\user\Desktop\hbvo9thTAX.exe' MD5: 0D646C6E6C2666F24B9E65CD1322FA86)
    • powershell.exe (PID: 2148 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\hbvo9thTAX.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3040 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\QeANuFTFqbK.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4556 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QeANuFTFqbK' /XML 'C:\Users\user\AppData\Local\Temp\tmpABAD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6240 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\QeANuFTFqbK.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • hbvo9thTAX.exe (PID: 6264 cmdline: C:\Users\user\Desktop\hbvo9thTAX.exe MD5: 0D646C6E6C2666F24B9E65CD1322FA86)
  • dhcpmon.exe (PID: 6768 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 0D646C6E6C2666F24B9E65CD1322FA86)
    • powershell.exe (PID: 6848 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6892 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QeANuFTFqbK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3FE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7068 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\QeANuFTFqbK.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 7128 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 0D646C6E6C2666F24B9E65CD1322FA86)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "282cf72b-8a92-4c1b-b768-b591a1e0", "Group": "jobo", "Domain1": "james12.ddns.net", "Domain2": "127.0.0.1", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.514853524.0000000005470000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
0000000C.00000002.514853524.0000000005470000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
0000000C.00000002.514853524.0000000005470000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.517643399.0000000006D20000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5fee:$x1: NanoCore.ClientPluginHost
    • 0x602b:$x2: IClientNetworkHost
    0000000C.00000002.517643399.0000000006D20000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x5fee:$x2: NanoCore.ClientPluginHost
    • 0x9441:$s4: PipeCreated
    • 0x6018:$s5: IClientLoggingHost
    Click to see the 52 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    12.2.hbvo9thTAX.exe.3dc7ce1.17.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    12.2.hbvo9thTAX.exe.3dc7ce1.17.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    13.2.dhcpmon.exe.3e03290.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe38d:$x1: NanoCore.ClientPluginHost
    • 0xe3ca:$x2: IClientNetworkHost
    • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    13.2.dhcpmon.exe.3e03290.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe105:$x1: NanoCore Client.exe
    • 0xe38d:$x2: NanoCore.ClientPluginHost
    • 0xf9c6:$s1: PluginCommand
    • 0xf9ba:$s2: FileCommand
    • 0x1086b:$s3: PipeExists
    • 0x16622:$s4: PipeCreated
    • 0xe3b7:$s5: IClientLoggingHost
    13.2.dhcpmon.exe.3e03290.1.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security