Source: 24.2.vbc.exe.2760000.6.raw.unpack |
Malware Configuration Extractor: NanoCore {"Version": ".0.0.0,", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"} |
Source: Yara match |
File source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: MSBuild.exe PID: 2544, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: MSBuild.exe PID: 2872, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: vbc.exe PID: 2780, type: MEMORY |
Source: Yara match |
File source: 24.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.2.vbc.exe.27a0000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.vbc.exe.1e90000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 28.2.vbc.exe.5f0000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 32.2.vbc.exe.2870000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 14.2.vbc.exe.2750000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 26.2.vbc.exe.2750000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 22.2.vbc.exe.27c0000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 22.2.vbc.exe.27c0000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.2.vbc.exe.2830000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.vbc.exe.1e90000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 14.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE |
Source: 8.2.vbc.exe.2860000.7.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 23.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 13.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 6.2.vbc.exe.2830000.7.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 5.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 15.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 14.2.vbc.exe.2860000.7.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 30.2.vbc.exe.2830000.7.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 20.2.vbc.exe.27f0000.7.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 28.2.vbc.exe.2940000.7.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 24.2.vbc.exe.27f0000.7.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 21.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 27.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 29.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 22.2.vbc.exe.2850000.7.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 25.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 26.2.vbc.exe.27e0000.7.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 7.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 4.2.vbc.exe.30a0000.8.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 31.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 12.2.vbc.exe.1f10000.4.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 9.2.MSBuild.exe.400000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\Public\vbc.exe |
|
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\Public\vbc.exe |
Jump to behavior |
Source: |
Binary string: wntdll.pdb source: vbc.exe, 00000004.00000003.2150153409.0000000003270000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.2167801125.0000000002900000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.2179925246.00000000029C0000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.2191624487.0000000002860000.00000004.00000001.sdmp |
Source: C:\Users\Public\vbc.exe |
Code function: 4_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
4_2_004059F0 |
Source: C:\Users\Public\vbc.exe |
Code function: 4_2_0040659C FindFirstFileA,FindClose, |
4_2_0040659C |
Source: C:\Users\Public\vbc.exe |
Code function: 4_2_004027A1 FindFirstFileA, |
4_2_004027A1 |
Source: Malware configuration extractor |
URLs: 79.134.225.26 |
Source: Malware configuration extractor |
URLs: nassiru1166main.ddns.net |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 May 2021 12:55:40 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3Last-Modified: Mon, 03 May 2021 07:04:16 GMTETag: "923fb-5c16791e13768"Accept-Ranges: bytesContent-Length: 599035Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 29 81 e9 50 47 d2 e9 50 47 d2 e9 50 47 d2 2a 5f 18 d2 eb 50 47 d2 e9 50 46 d2 49 50 47 d2 2a 5f 1a d2 e6 50 47 d2 bd 73 77 d2 e3 50 47 d2 2e 56 41 d2 e8 50 47 d2 52 69 63 68 e9 50 47 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e4 d6 24 5f 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 64 00 00 00 d0 01 00 00 04 00 00 61 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 84 00 00 a0 00 00 00 00 d0 02 00 c8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3c 62 00 00 00 10 00 00 00 64 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 74 12 00 00 00 80 00 00 00 14 00 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 a8 01 00 00 a0 00 00 00 06 00 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c8 0b 00 00 00 d0 02 00 00 0c 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 |