Play interactive tour

Edit tour

Analysis Report b2NaDSFu9T.exe

Overview

General Information

Sample Name:	b2NaDSFu9T.exe
Analysis ID:	402647
MD5:	042aa11c6d49e1cca5923f02d1b0a5ae
SHA1:	5a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA256:	3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

b2NaDSFu9T.exe (PID: 5340 cmdline: 'C:\Users\user\Desktop\b2NaDSFu9T.exe' MD5: 042AA11C6D49E1CCA5923F02D1B0A5AE)

RegSvcs.exe (PID: 4892 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": ".0.0.0,", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2a02ad:$x1: NanoCore.ClientPluginHost 0x3252cd:$x1: NanoCore.ClientPluginHost 0x2a02ea:$x2: IClientNetworkHost 0x32530a:$x2: IClientNetworkHost 0x2a3e1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x328e3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2a0015:$a: NanoCore 0x2a0025:$a: NanoCore 0x2a0259:$a: NanoCore 0x2a026d:$a: NanoCore 0x2a02ad:$a: NanoCore 0x325035:$a: NanoCore 0x325045:$a: NanoCore 0x325279:$a: NanoCore 0x32528d:$a: NanoCore 0x3252cd:$a: NanoCore 0x2a0074:$b: ClientPlugin 0x2a0276:$b: ClientPlugin 0x2a02b6:$b: ClientPlugin 0x325094:$b: ClientPlugin 0x325296:$b: ClientPlugin 0x3252d6:$b: ClientPlugin 0x2a019b:$c: ProjectData 0x3251bb:$c: ProjectData 0x2a0ba2:$d: DESCrypto 0x325bc2:$d: DESCrypto 0x2a856e:$e: KeepAlive
Process Memory Space: b2NaDSFu9T.exe PID: 5340	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x951ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x951ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x98d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x94f15:$a: NanoCore 0x94f25:$a: NanoCore 0x95159:$a: NanoCore 0x9516d:$a: NanoCore 0x951ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x94f74:$b: ClientPlugin 0x95176:$b: ClientPlugin 0x951b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x9509b:$c: ProjectData 0x10a82:$d: DESCrypto 0x95aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.b2NaDSFu9T.exe.41a1120.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.b2NaDSFu9T.exe.41a1120.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.b2NaDSFu9T.exe.41a1120.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.b2NaDSFu9T.exe.41a1120.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 4892, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": ".0.0.0,", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for submitted file

Show sources

Source: b2NaDSFu9T.exe	Virustotal: Detection: 17%			Perma Link
Source: b2NaDSFu9T.exe	ReversingLabs: Detection: 17%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE

Source: b2NaDSFu9T.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: b2NaDSFu9T.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: b2NaDSFu9T.exe, 00000000.00000002.263181372.0000000005110000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49707 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49716 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49721 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49724 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49728 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49729 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49730 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49731 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49738 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49744 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49745 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49746 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49750 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49759 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49760 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49761 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49762 -> 79.134.225.26:1133
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49763 -> 79.134.225.26:1133

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 79.134.225.26
Source: Malware configuration extractor	URLs: nassiru1166main.ddns.net

Source: global traffic

TCP traffic: 192.168.2.7:49707 -> 79.134.225.26:1133

Source: Joe Sandbox View

IP Address: 79.134.225.26 79.134.225.26

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26

Source: b2NaDSFu9T.exe	String found in binary or memory: https://github.com/unguest
Source: b2NaDSFu9T.exe	String found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: b2NaDSFu9T.exe, 00000000.00000002.258151442.0000000001069000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_04F60032 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_04F60007 NtQuerySystemInformation,

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B94290
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B92620
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97468
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B93988
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B93180
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B95130
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B94282
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B96AF8
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B96AE8
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97ED0
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B95E28
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B96E20
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B9BA20
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B95E19
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B92610
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B96E10
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97268
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97258
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97E54
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B94FFF
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B930D0
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B9BC38
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B95038
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97018
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97008
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B97459
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B9B598
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B93DE8
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B93938
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B93978
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_04F50133

Source: b2NaDSFu9T.exe	Binary or memory string: OriginalFilename vs b2NaDSFu9T.exe
Source: b2NaDSFu9T.exe, 00000000.00000002.263411006.0000000005260000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs b2NaDSFu9T.exe
Source: b2NaDSFu9T.exe, 00000000.00000002.263841980.00000000057A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs b2NaDSFu9T.exe
Source: b2NaDSFu9T.exe, 00000000.00000002.263181372.0000000005110000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs b2NaDSFu9T.exe
Source: b2NaDSFu9T.exe, 00000000.00000002.258151442.0000000001069000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs b2NaDSFu9T.exe
Source: b2NaDSFu9T.exe	Binary or memory string: OriginalFilenameInterfaceTypeAttribute.exe6 vs b2NaDSFu9T.exe

Source: b2NaDSFu9T.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: b2NaDSFu9T.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/3@0/1

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\b2NaDSFu9T.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{21f4355e-8257-4e77-8f1b-c822c6ea3cbe}

Source: b2NaDSFu9T.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: b2NaDSFu9T.exe	Virustotal: Detection: 17%
Source: b2NaDSFu9T.exe	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Users\user\Desktop\b2NaDSFu9T.exe 'C:\Users\user\Desktop\b2NaDSFu9T.exe'
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: b2NaDSFu9T.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: b2NaDSFu9T.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: b2NaDSFu9T.exe

Static file information: File size 1141760 > 1048576

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: b2NaDSFu9T.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x115800

Source: b2NaDSFu9T.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: b2NaDSFu9T.exe, 00000000.00000002.263181372.0000000005110000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_007C8A79 push cs; iretd
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_007C9E79 push cs; retf
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_007C9477 push cs; ret
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_007C9E87 push cs; retf
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Code function: 0_2_02B99072 push cs; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.96059480846

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2NaDSFu9T.exe PID: 5340, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 364
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 645
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 731

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe TID: 3888	Thread sleep time: -100818s >= -30000s
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe TID: 4920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe TID: 2840	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Thread delayed: delay time: 100818
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 824008

Source: C:\Users\user\Desktop\b2NaDSFu9T.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Source: RegSvcs.exe, 00000001.00000003.316775849.0000000000E52000.00000004.00000001.sdmp

Binary or memory string: Program Manager

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection312	Masquerading1	Input Capture1	Security Software Discovery11	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection312	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
b2NaDSFu9T.exe	18%	Virustotal		Browse
b2NaDSFu9T.exe	17%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
79.134.225.26	0%	Avira URL Cloud	safe
nassiru1166main.ddns.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
79.134.225.26	true	Avira URL Cloud: safe	unknown
nassiru1166main.ddns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/unguest	b2NaDSFu9T.exe	false	high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp	false	high
https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty	b2NaDSFu9T.exe	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.26	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	402647
Start date:	03.05.2021
Start time:	11:34:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	b2NaDSFu9T.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/3@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.3%) Quality average: 77% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 82% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100

Simulations

Behavior and APIs

Time	Type	Description
11:35:53	API Interceptor	1x Sleep call for process: b2NaDSFu9T.exe modified
11:35:55	API Interceptor	1060x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.26	Original title deed.xlsx	Get hash	malicious	Browse
	PpkzTxJVyC.exe	Get hash	malicious	Browse
	Original title deed.xlsx	Get hash	malicious	Browse
	jk55xlWn7a.exe	Get hash	malicious	Browse
	Qds5xiJaAX.exe	Get hash	malicious	Browse
	INVOICE.xlsx	Get hash	malicious	Browse
	owrCPP2YTC.exe	Get hash	malicious	Browse
	reorder17032021.PDF.exe	Get hash	malicious	Browse
	re-order15032021.PDF.exe	Get hash	malicious	Browse
	new order15032021.PDF.exe	Get hash	malicious	Browse
	CLEW enquiry 2021.PDF.exe	Get hash	malicious	Browse
	payment proof.png.exe	Get hash	malicious	Browse
	0001.exe	Get hash	malicious	Browse
	Purchase Order 2021-311743-045.xls.exe	Get hash	malicious	Browse
	CLEW enquiry 2021.PDF.exe	Get hash	malicious	Browse
	Purchase.exe	Get hash	malicious	Browse
	Quote.exe	Get hash	malicious	Browse
	Quotation.exe	Get hash	malicious	Browse
	invoicedHusrLjViL.exe	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Generic.jc.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	Original title deed.xlsx	Get hash	malicious	Browse	79.134.225.26
	ORDER INQUIRY.doc	Get hash	malicious	Browse	79.134.225.52
	To1sRo1E8P.exe	Get hash	malicious	Browse	79.134.225.25
	BhTxt5BUvy.exe	Get hash	malicious	Browse	79.134.225.25
	SCAN_ORDER & SAMPLES.exe	Get hash	malicious	Browse	79.134.225.52
	Apr-advance payment #5972939.exe	Get hash	malicious	Browse	79.134.225.9
	PpkzTxJVyC.exe	Get hash	malicious	Browse	79.134.225.26
	Original title deed.xlsx	Get hash	malicious	Browse	79.134.225.26
	swift copy.exe	Get hash	malicious	Browse	79.134.225.48
	swift copy.exe	Get hash	malicious	Browse	79.134.225.48
	jk55xlWn7a.exe	Get hash	malicious	Browse	79.134.225.26
	Qds5xiJaAX.exe	Get hash	malicious	Browse	79.134.225.26
	INVOICE.xlsx	Get hash	malicious	Browse	79.134.225.26
	UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.doc	Get hash	malicious	Browse	79.134.225.91
	Payment-Confirmation_Copy.exe	Get hash	malicious	Browse	79.134.225.108
	owrCPP2YTC.exe	Get hash	malicious	Browse	79.134.225.26
	Payment Advice-BCS_ECS9522020090915390034_3159_952.jar	Get hash	malicious	Browse	79.134.225.59
	nciv84yXK1.exe	Get hash	malicious	Browse	79.134.225.7
	Rechnung.exe	Get hash	malicious	Browse	79.134.225.39
	ENrYP02wGO.exe	Get hash	malicious	Browse	79.134.225.91

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\b2NaDSFu9T.exe.log Download File
Process:	C:\Users\user\Desktop\b2NaDSFu9T.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	432
Entropy (8bit):	7.012278113302776
Encrypted:	false
SSDEEP:	12:X4LEnybgCF7wHJyCe8O6LEnybgCF7wHJyCe8Oh:IQnybgCyHJ5lQnybgCyHJ5i
MD5:	9D28662484E30E8B7C123705C7B0C8E6
SHA1:	BFB9A9E2BDC178B5E8FE1CDFB68D65D8D7F4840A
SHA-256:	F699DB97FD0C37997AA67809552C1B2C6500E07660D0540055896615F12A90D7
SHA-512:	58303088530E6548BBFB1800A52221CE5A29E33A48442DD16524EB1021850E902C0E01FE9035CC8C794E966AFD6A7FA950974E3F1B320A8F37F6090C6D7D3820
Malicious:	false
Reputation:	low
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|X

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:cmr8tn:cNtn
MD5:	0DC2073C953398D28C9D8E44EEA5ADA1
SHA1:	FA0FA923069FACF1AF850D9672C0FC451328C71E
SHA-256:	7376B029584CD7CC2E8EB49E35D9243124AFA2AC557B6141C94788BADD19002A
SHA-512:	83053423035A70D10B0FD614E2267EBE4E6995920E0CF5439CF42E4CFFFB201E3C89E2BFCB9608B0BB9D12B813B0BB0ADC2EBB6A989E2394C7AE162044D84951
Malicious:	true
Reputation:	low
Preview:	...Ib..H

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.956232639570589
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	b2NaDSFu9T.exe
File size:	1141760
MD5:	042aa11c6d49e1cca5923f02d1b0a5ae
SHA1:	5a89ff2f9702a53fb638b8c7229ba868aaa58ae9
SHA256:	3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34
SHA512:	6d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184
SSDEEP:	24576:jVdIEYuS48YvtC/X4kRxlhtJftkKrEMAtugu+/a:jEjX48uAzJEMZry
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..X...........w... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x517792
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x608FA4A3 [Mon May 3 07:22:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x117740	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x118000	0xed0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x115798	0x115800	False	0.960257425394	data	7.96059480846	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x118000	0xed0	0x1000	False	0.3740234375	data	4.74787952307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x118090	0x3a4	data
RT_MANIFEST	0x118444	0xa85	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	InterfaceTypeAttribute.exe
FileVersion	1.0.1.35
CompanyName	Unguest
LegalTrademarks	Unguest
Comments	A light media player
ProductName	LightWatch
ProductVersion	1.0.1.35
FileDescription	LightWatch
OriginalFilename	InterfaceTypeAttribute.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/21-11:35:57.731947	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49707	1133	192.168.2.7	79.134.225.26
05/03/21-11:36:04.057658	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49716	1133	192.168.2.7	79.134.225.26
05/03/21-11:36:10.300646	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49721	1133	192.168.2.7	79.134.225.26
05/03/21-11:36:16.535954	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	1133	192.168.2.7	79.134.225.26
05/03/21-11:36:32.356162	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	1133	192.168.2.7	79.134.225.26
05/03/21-11:36:38.604791	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49729	1133	192.168.2.7	79.134.225.26
05/03/21-11:36:44.807678	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49730	1133	192.168.2.7	79.134.225.26
05/03/21-11:36:51.125432	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49731	1133	192.168.2.7	79.134.225.26
05/03/21-11:36:57.381214	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49738	1133	192.168.2.7	79.134.225.26
05/03/21-11:37:03.896572	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49744	1133	192.168.2.7	79.134.225.26
05/03/21-11:37:13.224491	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	1133	192.168.2.7	79.134.225.26
05/03/21-11:37:19.689841	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	1133	192.168.2.7	79.134.225.26
05/03/21-11:37:29.259378	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49750	1133	192.168.2.7	79.134.225.26
05/03/21-11:37:35.503934	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49759	1133	192.168.2.7	79.134.225.26
05/03/21-11:37:41.765593	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49760	1133	192.168.2.7	79.134.225.26
05/03/21-11:37:48.076433	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49761	1133	192.168.2.7	79.134.225.26
05/03/21-11:37:54.385213	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49762	1133	192.168.2.7	79.134.225.26
05/03/21-11:38:00.574763	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49763	1133	192.168.2.7	79.134.225.26

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 11:35:57.175148964 CEST	49707	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:35:57.595338106 CEST	1133	49707	79.134.225.26	192.168.2.7
May 3, 2021 11:35:57.595468044 CEST	49707	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:35:57.731946945 CEST	49707	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:35:58.683852911 CEST	49707	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:35:59.095221043 CEST	1133	49707	79.134.225.26	192.168.2.7
May 3, 2021 11:35:59.095515966 CEST	49707	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:35:59.475019932 CEST	1133	49707	79.134.225.26	192.168.2.7
May 3, 2021 11:35:59.625859976 CEST	49707	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:35:59.975164890 CEST	1133	49707	79.134.225.26	192.168.2.7
May 3, 2021 11:35:59.975369930 CEST	49707	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:03.701108932 CEST	49716	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:04.056865931 CEST	1133	49716	79.134.225.26	192.168.2.7
May 3, 2021 11:36:04.056981087 CEST	49716	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:04.057657957 CEST	49716	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:04.483517885 CEST	1133	49716	79.134.225.26	192.168.2.7
May 3, 2021 11:36:04.483618975 CEST	49716	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:04.535276890 CEST	1133	49716	79.134.225.26	192.168.2.7
May 3, 2021 11:36:04.535418987 CEST	49716	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:04.915105104 CEST	1133	49716	79.134.225.26	192.168.2.7
May 3, 2021 11:36:04.915201902 CEST	49716	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:05.275497913 CEST	1133	49716	79.134.225.26	192.168.2.7
May 3, 2021 11:36:05.277007103 CEST	49716	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:05.735222101 CEST	1133	49716	79.134.225.26	192.168.2.7
May 3, 2021 11:36:05.735450983 CEST	49716	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:05.873095989 CEST	49716	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:06.155128956 CEST	1133	49716	79.134.225.26	192.168.2.7
May 3, 2021 11:36:06.155272961 CEST	49716	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:09.895852089 CEST	49721	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:10.295373917 CEST	1133	49721	79.134.225.26	192.168.2.7
May 3, 2021 11:36:10.295598984 CEST	49721	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:10.300646067 CEST	49721	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:11.184920073 CEST	49721	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:12.092092037 CEST	49721	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:12.483063936 CEST	1133	49721	79.134.225.26	192.168.2.7
May 3, 2021 11:36:12.483128071 CEST	49721	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:16.109191895 CEST	49724	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:16.535310984 CEST	1133	49724	79.134.225.26	192.168.2.7
May 3, 2021 11:36:16.535440922 CEST	49724	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:16.535953999 CEST	49724	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:16.975370884 CEST	1133	49724	79.134.225.26	192.168.2.7
May 3, 2021 11:36:16.975955009 CEST	49724	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:17.075939894 CEST	1133	49724	79.134.225.26	192.168.2.7
May 3, 2021 11:36:17.076164007 CEST	49724	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:17.455312014 CEST	1133	49724	79.134.225.26	192.168.2.7
May 3, 2021 11:36:17.458092928 CEST	49724	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:17.564977884 CEST	1133	49724	79.134.225.26	192.168.2.7
May 3, 2021 11:36:17.565160036 CEST	49724	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:17.863342047 CEST	1133	49724	79.134.225.26	192.168.2.7
May 3, 2021 11:36:17.864617109 CEST	49724	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:18.236253977 CEST	1133	49724	79.134.225.26	192.168.2.7
May 3, 2021 11:36:18.483088017 CEST	49724	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:18.835776091 CEST	1133	49724	79.134.225.26	192.168.2.7
May 3, 2021 11:36:18.835900068 CEST	49724	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:22.543319941 CEST	49725	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:22.895484924 CEST	1133	49725	79.134.225.26	192.168.2.7
May 3, 2021 11:36:22.895659924 CEST	49725	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:23.134715080 CEST	49725	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:23.857887030 CEST	49725	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:24.216471910 CEST	1133	49725	79.134.225.26	192.168.2.7
May 3, 2021 11:36:24.216588974 CEST	49725	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:24.623435974 CEST	1133	49725	79.134.225.26	192.168.2.7
May 3, 2021 11:36:24.936151028 CEST	49725	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:24.936708927 CEST	49725	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:25.323057890 CEST	1133	49725	79.134.225.26	192.168.2.7
May 3, 2021 11:36:25.324203014 CEST	49725	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:28.954962015 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:31.967937946 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:32.355309963 CEST	1133	49728	79.134.225.26	192.168.2.7
May 3, 2021 11:36:32.355513096 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:32.356162071 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:32.755695105 CEST	1133	49728	79.134.225.26	192.168.2.7
May 3, 2021 11:36:32.755803108 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:32.935302019 CEST	1133	49728	79.134.225.26	192.168.2.7
May 3, 2021 11:36:32.936120033 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:33.225116968 CEST	1133	49728	79.134.225.26	192.168.2.7
May 3, 2021 11:36:33.227468014 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:33.355937958 CEST	1133	49728	79.134.225.26	192.168.2.7
May 3, 2021 11:36:33.358747959 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:33.776004076 CEST	1133	49728	79.134.225.26	192.168.2.7
May 3, 2021 11:36:34.218465090 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:34.623622894 CEST	1133	49728	79.134.225.26	192.168.2.7
May 3, 2021 11:36:34.623821020 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:37.735433102 CEST	1133	49728	79.134.225.26	192.168.2.7
May 3, 2021 11:36:37.735807896 CEST	49728	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:38.235639095 CEST	49729	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:38.603579044 CEST	1133	49729	79.134.225.26	192.168.2.7
May 3, 2021 11:36:38.603712082 CEST	49729	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:38.604790926 CEST	49729	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:39.037123919 CEST	1133	49729	79.134.225.26	192.168.2.7
May 3, 2021 11:36:39.037262917 CEST	49729	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:39.178581953 CEST	1133	49729	79.134.225.26	192.168.2.7
May 3, 2021 11:36:39.178910017 CEST	49729	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:39.562207937 CEST	1133	49729	79.134.225.26	192.168.2.7
May 3, 2021 11:36:39.796814919 CEST	49729	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:40.223459959 CEST	1133	49729	79.134.225.26	192.168.2.7
May 3, 2021 11:36:40.422703028 CEST	49729	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:40.819509983 CEST	1133	49729	79.134.225.26	192.168.2.7
May 3, 2021 11:36:40.819602966 CEST	49729	1133	192.168.2.7	79.134.225.26
May 3, 2021 11:36:44.439085960 CEST	49730	1133	192.168.2.7	79.134.225.26

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: b2NaDSFu9T.exe PID: 5340 Parent PID: 5620

General

Start time:	11:35:52
Start date:	03/05/2021
Path:	C:\Users\user\Desktop\b2NaDSFu9T.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\b2NaDSFu9T.exe'
Imagebase:	0x7c0000
File size:	1141760 bytes
MD5 hash:	042AA11C6D49E1CCA5923F02D1B0A5AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: RegSvcs.exe PID: 4892 Parent PID: 5340

General

Start time:	11:35:54
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0x750000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report b2NaDSFu9T.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Code Manipulations

Statistics