Loading ...

Play interactive tourEdit tour

Analysis Report transfer pdf.exe

Overview

General Information

Sample Name:transfer pdf.exe
Analysis ID:402568
MD5:ceab5875bc8300bade1fa862d446af5b
SHA1:7f181a1500e1b2cbf7c76466210c58d166c30c62
SHA256:56f803925d37e489e72c9e3a7bf128d46fd29b62f858961b2f644edf09530602
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • transfer pdf.exe (PID: 5984 cmdline: 'C:\Users\user\Desktop\transfer pdf.exe' MD5: CEAB5875BC8300BADE1FA862D446AF5B)
    • powershell.exe (PID: 4012 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\transfer pdf.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3060 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\mrCqHfpog.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5316 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mrCqHfpog' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C2B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6272 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\mrCqHfpog.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • transfer pdf.exe (PID: 6296 cmdline: C:\Users\user\Desktop\transfer pdf.exe MD5: CEAB5875BC8300BADE1FA862D446AF5B)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.513751941.0000000005990000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
0000000C.00000002.513751941.0000000005990000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
0000000C.00000002.513751941.0000000005990000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.515591721.0000000006D90000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1f1db:$x1: NanoCore.ClientPluginHost
    • 0x1f1f5:$x2: IClientNetworkHost
    0000000C.00000002.515591721.0000000006D90000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1f1db:$x2: NanoCore.ClientPluginHost
    • 0x22518:$s4: PipeCreated
    • 0x1f1c8:$s5: IClientLoggingHost
    Click to see the 45 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    12.2.transfer pdf.exe.6d40000.34.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x59eb:$x1: NanoCore.ClientPluginHost
    • 0x5b48:$x2: IClientNetworkHost
    12.2.transfer pdf.exe.6d40000.34.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x59eb:$x2: NanoCore.ClientPluginHost
    • 0x6941:$s3: PipeExists
    • 0x5be1:$s4: PipeCreated
    • 0x5a05:$s5: IClientLoggingHost
    12.2.transfer pdf.exe.44ce7b8.9.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    12.2.transfer pdf.exe.44ce7b8.9.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    12.2.transfer pdf.exe.44ce7b8.9.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 147 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\transfer pdf.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mrCqHfpog' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C2B.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mrCqHfpog' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C2B.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\transfer pdf.exe' , ParentImage: C:\Users\user\Desktop\transfer pdf.exe, ParentProcessId: 5984, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mrCqHfpog' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C2B.tmp', ProcessId: 5316

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000C.00000002.510709014.00000000044C9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000C.00000002.513751941.0000000005990000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.512261589.0000000004D53000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.512487196.0000000004EB4000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.494628444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.511981202.0000000004B6A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.272783114.0000000003D99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.510709014.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: transfer pdf.exe PID: 6296, type: MEMORY
      Source: Yara matchFile source: 12.2.transfer pdf.exe.44ce7b8.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4d58a68.14.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4eb9608.21.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4d53c32.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.44ce7b8.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.transfer pdf.exe.3f7dee0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.44c9982.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4d58a68.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.5990000.25.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4c25e65.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4eb47d2.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.transfer pdf.exe.3f7dee0.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.5990000.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4d5d091.16.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4eb9608.21.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.5994629.26.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.transfer pdf.exe.3e38030.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4c19c31.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4ebdc31.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.44d2de1.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.transfer pdf.exe.4c3a492.12.raw.unpack, type: UNPACKEDPE