Loading ...

Play interactive tourEdit tour

Analysis Report Invoice PaymentPDF.vbs

Overview

General Information

Sample Name:Invoice PaymentPDF.vbs
Analysis ID:382764
MD5:3911ee0964b7aa57b411fe3d88d304d6
SHA1:b6f21d1f4a6f3329e8403038906fc93a7872fcee
SHA256:ea5784a4389f86bb28ec9ca5fc099b5d4e8791983ce7b66df5c1cf8cb01e5952
Tags:NanoCoreRATvbs
Infos:

Most interesting Screenshot:

Detection

Nanocore AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Detected Nanocore Rat
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5648 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice PaymentPDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • file.exe (PID: 360 cmdline: 'C:\Users\user~1\AppData\Local\Temp\file.exe' MD5: 76D2BB0F57BBF02E190055FCDB3663DB)
    • name.exe (PID: 4704 cmdline: 'C:\Users\user~1\AppData\Local\Temp\name.exe' MD5: 50B53CECA7021AD9ABEA4074A634680A)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "23.238.217.173", "Ports": "6606,7707,8808", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "rCdLgrV42q0DuDQzYbk2auSrJRoHXPHS", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAJkhHU+BH915hv7LViGwzzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAxMTA3MTkxMTE5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ2Kr4dwEtG7paj+p7bT61qNpAHg0vCScR1TFYJ9AFuPQMEPGEaB7gCf40qGTli8A/ac0EI2vXm8+pKrmu2ae50KltRwInh3rlKQOV3s6p1sGE7cZNc0a8+YjbLtvex6jx7mc+RrPNDX7ztZb5yFXDOxOmXNhcisF7GQLeIXdRp3AzEafDoS0S6N5AJlUCyI3/vHk6FbI8GZtjjj2fvYQKeX/oQyv+KDwx3m7BO6NTaLVCrDBikJZpoajcvmctTlR5u5HgtzIQ6QfZtt3SMPOC7vE4QOwfIS5Y5EJ2H8u5qJ3f7aomyxDUSV8snsvDpXg5Nk6WAOf0Lh10sjWM82Q8wCvaeijVkYMVTJYZXFhkc7C0+c6+19GVNvJlWdbSTeZKCOwCJD2TEiqJfCpeaySqJpvAqMhUj1qL+hX9SNS5uC32FcxVWve/COS1s6piR4GO5GWqErJp5dKDNyxnJWW27pyivcuciKSfj7g4ObXA3ABARzJucyyAV2rAn9N18JwOguGAu3boSDtgvIUYiUAupPK0a7Lf8E+eiLWMsVdX5uXRy2M5Lw/VGJ9EiMbswzfJN05WV5kp1QESUzkIZWMBKmfFJ3JgipR/mSxBXT6+7FQfLWEil3T/1UKE9Rm7Q4k0kcYX/SpzUvgZadwyaI8hbjz3uiaFV9/FSFPrq6qPkxAgMBAAGjMjAwMB0GA1UdDgQWBBTIOzfxNrixzR4oMI+dIEjFy3dMfTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBp13OHOR30C2YvzChrPHZIxlXZWnFJz5nazJy2kvFXCoq+ENu1aTJtpwN0XR0FhLyBhbWDTqoxoxJK33bfPjSn2Vrr44Anpdfjn+wBGfvic8btWTlPE/0g0vYDlv3OmIibf0s7ob/fVNaFiBumJZiPKguGya283ycWRF28JN/mqV7A6r4Py26CtTaGAs36Kzg5hgAxRoXjEMl8PzbYFjRFzteO0OA2Y9p2wp79W+h9JY0rGW/UTQqvUNpV2KfdKf5eGOKv5PHhzcQ56L+RydGaO0BL0WAcy/wvu/rW6+XPDhotNcVbsFGxPdMXUGfbzT5+4ugJv9n95fn3f6EWVitDdt/b1iz55YkbpbHr3YaPT/LVp9qXSHgg0lz9FQsdkssrD2Ete5NdlTOezia4jvxgkb2vdYIWNSURnNJXmH6CPVnrRa4juhjKtXsG0dOdxz5PSRJYmukFy8gl283yeOmDEqSDo9rQ9ywxtcL2IJYHzkmo6vctWnQnUaD8H87zz1YN3f1FbQEXovEDkIB7AiyRG2kfeRNMbEFCd0u1TXajD4z/+4+EGAGYpU7Laqar0PbFAuBe8/SAPfAsYqLdQ5TKIm8f54miRP72ySJ7+4kus25+19LdQmUJM79EKeFw2R6COJRRTvZ4hP3xqwn4yPULDJbU+CBSV9QY1YwU4ziUCQ==", "ServerSignature": "b7cZ72qbdlFxoVfpO/0tHE5xKg0vNw58XJ+PsP/eWucYIkdeP6fnlIwnxnXsvoEWxw3CuGFtcGjY9btemVUwPNMNu2wCsW4Plb9qpUk7TXu6kX0D+z5illmf1+q1/535hHDE0vGVhjFy7mX+LHrPyDC4o+zRjsy970eMY24er5ru4bN4yWrDr/MdoeLABYGFIeJwKEMu0VNjtiNdQ1mbX31uWDuMfJyDpdTZ8aIhxSo7S4Oil7bvpbpmqEPHwd5j3iPK3DdAKhcBAkOfPur2FP3R3iO8bVVWn5noiqU/vsrQq2PCFHvnllFYpYKRTKpla0bxa9WdmRJhAvpgBdUfcQFoIrrDfvO9djA2yTTJxzbDcT3GAdLtvnR9zcaRrrNlSp0NHNrDVjxcSv5bGixB8KKKmt7IKOo/RB6YweBpN+UbKhKo6O5pRaiDohxYS05ncA8UJp+81fMqT6iNNr2vn0CZScqINi1rCy5xoroXMvwnrU/nY+ePB6j8YnZFnspY1LW831Bdz0JLTLeeZrtEOg/6GrfOcQuEQZ+FiqE3xo+cpETksVUvcj/hzGMCnjwtHKe6GM18Li2GfkdTT/6BebbvAFmPvKBdSMkrVS6oVGm3UbEzGo6dqKhHyKqplYvr7/3pThARRvMylERoICs+pf/UWjsfhN52jEBm/FImD6c=", "Group": "NOW"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\name.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\AppData\Local\Temp\name.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
C:\Users\user\AppData\Local\Temp\name.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    C:\Users\user\AppData\Local\Temp\name.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.492099585.0000000000DA0000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000004.00000002.488368637.0000000000872000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        00000004.00000002.498075697.0000000005350000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        Click to see the 77 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.name.exe.31a89d8.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x2dbb:$x1: NanoCore.ClientPluginHost
        • 0x2de5:$x2: IClientNetworkHost
        4.2.name.exe.31a89d8.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x2dbb:$x2: NanoCore.ClientPluginHost
        • 0x4c6b:$s4: PipeCreated
        4.2.name.exe.455fab8.19.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        4.2.name.exe.455fab8.19.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xf7ad:$x2: NanoCore.ClientPluginHost
        • 0x10888:$s4: PipeCreated
        • 0xf7c7:$s5: IClientLoggingHost
        4.2.name.exe.455fab8.19.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 168 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\name.exe, ProcessId: 4704, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection: