Loading ...

Play interactive tourEdit tour

Analysis Report LIST OF POEA DELISTED AGENCIES.pdf.exe

Overview

General Information

Sample Name:LIST OF POEA DELISTED AGENCIES.pdf.exe
Analysis ID:383708
MD5:170934b168c75ed396332a6af365a478
SHA1:9089f509aae08997e6c8da1a33f3c5156a6f06bc
SHA256:1b7d2ae0faed1db793cfcf75e11cc0308c69af37540d27b9dbd104d0f850a658
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • LIST OF POEA DELISTED AGENCIES.pdf.exe (PID: 204 cmdline: 'C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe' MD5: 170934B168C75ED396332A6AF365A478)
    • schtasks.exe (PID: 804 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lYcqUUrbhRC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • LIST OF POEA DELISTED AGENCIES.pdf.exe (PID: 5592 cmdline: {path} MD5: 170934B168C75ED396332A6AF365A478)
      • schtasks.exe (PID: 6240 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB457.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • LIST OF POEA DELISTED AGENCIES.pdf.exe (PID: 6380 cmdline: 'C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe' 0 MD5: 170934B168C75ED396332A6AF365A478)
    • schtasks.exe (PID: 6672 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lYcqUUrbhRC' /XML 'C:\Users\user\AppData\Local\Temp\tmp5375.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "a8eeb35c-017d-4116-8f99-efe29258", "Group": "uuu", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.504910894.0000000005340000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000007.00000002.504910894.0000000005340000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x435b5:$a: NanoCore
    • 0x4360e:$a: NanoCore
    • 0x4364b:$a: NanoCore
    • 0x436c4:$a: NanoCore
    • 0x56d6f:$a: NanoCore
    • 0x56d84:$a: NanoCore
    • 0x56db9:$a: NanoCore
    • 0x6fd5b:$a: NanoCore
    • 0x6fd70:$a: NanoCore
    • 0x6fda5:$a: NanoCore
    • 0x43617:$b: ClientPlugin
    • 0x43654:$b: ClientPlugin
    • 0x43f52:$b: ClientPlugin
    • 0x43f5f:$b: ClientPlugin
    • 0x56b2b:$b: ClientPlugin
    • 0x56b46:$b: ClientPlugin
    • 0x56b76:$b: ClientPlugin
    • 0x56d8d:$b: ClientPlugin
    • 0x56dc2:$b: ClientPlugin
    • 0x6fb17:$b: ClientPlugin
    • 0x6fb32:$b: ClientPlugin
    00000007.00000002.505287922.0000000005780000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    Click to see the 57 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2eb60d8.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x2dbb:$x1: NanoCore.ClientPluginHost
      • 0x2de5:$x2: IClientNetworkHost
      7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2eb60d8.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x2dbb:$x2: NanoCore.ClientPluginHost
      • 0x4c6b:$s4: PipeCreated
      Click to see the 157 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe, ProcessId: 5592, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lYcqUUrbhRC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp',