Loading ...

Play interactive tourEdit tour

Analysis Report zr0evNqvkC.exe


General Information

Sample Name:zr0evNqvkC.exe
Analysis ID:383423

Most interesting Screenshot:


Range:0 - 100


Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match



  • System is w10x64
  • zr0evNqvkC.exe (PID: 7000 cmdline: 'C:\Users\user\Desktop\zr0evNqvkC.exe' MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
    • zr0evNqvkC.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\zr0evNqvkC.exe' MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
      • schtasks.exe (PID: 5728 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6484 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE932.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • zr0evNqvkC.exe (PID: 5020 cmdline: C:\Users\user\Desktop\zr0evNqvkC.exe 0 MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
    • zr0evNqvkC.exe (PID: 4228 cmdline: C:\Users\user\Desktop\zr0evNqvkC.exe 0 MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
  • dhcpmon.exe (PID: 6368 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
    • dhcpmon.exe (PID: 6568 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
  • dhcpmon.exe (PID: 6744 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
    • dhcpmon.exe (PID: 6784 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "", "Mutex": "ccf3c62d-d356-4a80-bb94-307bc35a", "Group": "Backup", "Domain1": "backu4734.duckdns.org", "Domain2": "backu4734.duckdns.org", "Port": 8092, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x146bd:$x1: NanoCore.ClientPluginHost
  • 0x146fa:$x2: IClientNetworkHost
  • 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x14425:$a: NanoCore
    • 0x14435:$a: NanoCore
    • 0x14669:$a: NanoCore
    • 0x1467d:$a: NanoCore
    • 0x146bd:$a: NanoCore
    • 0x14484:$b: ClientPlugin
    • 0x14686:$b: ClientPlugin
    • 0x146c6:$b: ClientPlugin
    • 0x145ab:$c: ProjectData
    • 0x14fb2:$d: DESCrypto
    • 0x1c97e:$e: KeepAlive
    • 0x1a96c:$g: LogClientMessage
    • 0x16b67:$i: get_Connected
    • 0x152e8:$j: #=q
    • 0x15318:$j: #=q
    • 0x15334:$j: #=q
    • 0x15364:$j: #=q
    • 0x15380:$j: #=q
    • 0x1539c:$j: #=q
    • 0x153cc:$j: #=q
    • 0x153e8:$j: #=q
    0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x431bd:$a: NanoCore
      • 0x43216:$a: NanoCore
      • 0x43253:$a: NanoCore
      • 0x432cc:$a: NanoCore
      • 0x56977:$a: NanoCore
      • 0x5698c:$a: NanoCore
      • 0x569c1:$a: NanoCore
      • 0x6f96b:$a: NanoCore
      • 0x6f980:$a: NanoCore
      • 0x6f9b5:$a: NanoCore
      • 0x4321f:$b: ClientPlugin
      • 0x4325c:$b: ClientPlugin
      • 0x43b5a:$b: ClientPlugin
      • 0x43b67:$b: ClientPlugin
      • 0x56733:$b: ClientPlugin
      • 0x5674e:$b: ClientPlugin
      • 0x5677e:$b: ClientPlugin
      • 0x56995:$b: ClientPlugin
      • 0x569ca:$b: ClientPlugin
      • 0x6f727:$b: ClientPlugin
      • 0x6f742:$b: ClientPlugin
      Click to see the 101 entries

      Unpacked PEs

      13.2.dhcpmon.exe.3463214.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x287a1:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x287ce:$x2: IClientNetworkHost
      13.2.dhcpmon.exe.3463214.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x287a1:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x2987c:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x287bb:$s5: IClientLoggingHost
      13.2.dhcpmon.exe.3463214.7.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        12.2.dhcpmon.exe.24a1458.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        12.2.dhcpmon.exe.24a1458.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost