Analysis Report b2NaDSFu9T.exe

Overview

General Information

Sample Name:	b2NaDSFu9T.exe
Analysis ID:	402647
MD5:	042aa11c6d49e1cca5923f02d1b0a5ae
SHA1:	5a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA256:	3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": ".0.0.0,", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for submitted file

Source: b2NaDSFu9T.exe	Virustotal: Detection: 17%			Perma Link
Source: b2NaDSFu9T.exe	ReversingLabs: Detection: 17%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE

Compliance:

Uses 32bit PE files

Source: b2NaDSFu9T.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04F50460
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04F50451
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04F505A8
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04F50598

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49707 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49716 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49721 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49724 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49728 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49729 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49730 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49731 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49738 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49744 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49745 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49746 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49750 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49759 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49760 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49761 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49762 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49763 -> 79.134.225.26:1133

Source: Malware configuration extractor	URLs: 79.134.225.26
Source: Malware configuration extractor	URLs: nassiru1166main.ddns.net

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26

Source: b2NaDSFu9T.exe	String found in binary or memory: https://github.com/unguest
Source: b2NaDSFu9T.exe	String found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_04F60032 NtQuerySystemInformation,		0_2_04F60032
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_04F60007 NtQuerySystemInformation,		0_2_04F60007

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B94290	0_2_02B94290
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B92620	0_2_02B92620
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97468	0_2_02B97468
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B93988	0_2_02B93988
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B93180	0_2_02B93180
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B95130	0_2_02B95130
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B94282	0_2_02B94282
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B96AF8	0_2_02B96AF8
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B96AE8	0_2_02B96AE8
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97ED0	0_2_02B97ED0
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B95E28	0_2_02B95E28
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B96E20	0_2_02B96E20
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B9BA20	0_2_02B9BA20
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B95E19	0_2_02B95E19
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B92610	0_2_02B92610
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B96E10	0_2_02B96E10
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97268	0_2_02B97268
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97258	0_2_02B97258
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97E54	0_2_02B97E54
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B94FFF	0_2_02B94FFF
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B930D0	0_2_02B930D0
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B9BC38	0_2_02B9BC38
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B95038	0_2_02B95038
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97018	0_2_02B97018
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97008	0_2_02B97008
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97459	0_2_02B97459
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B9B598	0_2_02B9B598
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B93DE8	0_2_02B93DE8
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B93938	0_2_02B93938
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B93978	0_2_02B93978
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_04F50133	0_2_04F50133

Source: b2NaDSFu9T.exe	Binary or memory string: OriginalFilename vs b2NaDSFu9T.exe
Source: b2NaDSFu9T.exe, 00000000.00000002.263411006.0000000005260000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs b2NaDSFu9T.exe
Source: b2NaDSFu9T.exe, 00000000.00000002.263841980.00000000057A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs b2NaDSFu9T.exe
Source: b2NaDSFu9T.exe, 00000000.00000002.263181372.0000000005110000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs b2NaDSFu9T.exe
Source: b2NaDSFu9T.exe, 00000000.00000002.258151442.0000000001069000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs b2NaDSFu9T.exe
Source: b2NaDSFu9T.exe	Binary or memory string: OriginalFilenameInterfaceTypeAttribute.exe6 vs b2NaDSFu9T.exe

Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{21f4355e-8257-4e77-8f1b-c822c6ea3cbe}

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: unknown	Process created: C:\Users\user\Desktop\b2NaDSFu9T.exe 'C:\Users\user\Desktop\b2NaDSFu9T.exe'
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_007C8A79 push cs; iretd	0_2_007C8BA4
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_007C9E79 push cs; retf	0_2_007C9E84
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_007C9477 push cs; ret	0_2_007C9484
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_007C9E87 push cs; retf	0_2_007C9EA0
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B99072 push cs; ret	0_2_02B99073

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2NaDSFu9T.exe PID: 5340, type: MEMORY

Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 364	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 645	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 731	Jump to behavior

Analysis Report b2NaDSFu9T.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe TID: 3888	Thread sleep time: -100818s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe TID: 4920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe TID: 2840	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Thread delayed: delay time: 100818	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 824008	Jump to behavior

Name	Malicious	Antivirus Detection	Reputation
79.134.225.26	true	Avira URL Cloud: safe	unknown
nassiru1166main.ddns.net	true	Avira URL Cloud: safe	unknown

ID:	402647
Product:	CloudBasic
Start time:	11:34:42
Start date:	03.05.2021
Sample:	b2NaDSFu9T.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	042aa11c6d49e1cca5923f02d1b0a5ae
SHA1:	5a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA256:	3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\b2NaDSFu9T.exe.log	ASCII text, with CRLF line terminators	B1DB55991C3DA14E35249AEA1BC357CA	0DD2D91198FDEF296441B12F1A906669B279700C	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	9D28662484E30E8B7C123705C7B0C8E6	BFB9A9E2BDC178B5E8FE1CDFB68D65D8D7F4840A	F699DB97FD0C37997AA67809552C1B2C6500E07660D0540055896615F12A90D7
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	data	0DC2073C953398D28C9D8E44EEA5ADA1	FA0FA923069FACF1AF850D9672C0FC451328C71E	7376B029584CD7CC2E8EB49E35D9243124AFA2AC557B6141C94788BADD19002A