Play interactive tourEdit tour
Analysis Report TT COPY pdf.exe
Overview
General Information
Sample Name: | TT COPY pdf.exe |
Analysis ID: | 402887 |
MD5: | 5c59c6fb72b449bd3e52b628c7c46002 |
SHA1: | 85974547f519babcdd3f8d5a68ba18930f09d46d |
SHA256: | 0b39f5e8244f6d24dbf99914e31907f8e560c6612544a692ec97480c5c9fe371 |
Tags: | exeNanoCoreRAT |
Infos: | |
Most interesting Screenshot: | |
Errors
|
Detection
Nanocore
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Sigma detected: NanoCore
Sigma detected: NotPetya Ransomware Activity
Sigma detected: QBot Process Creation
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Exchange Exploitation Activity
Sigma detected: Mustang Panda Dropper
Sigma detected: Raccine Uninstall
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Sigma detected: Windows 10 Scheduled Task SandboxEscaper 0-day
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SMSW)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Script Run in AppData
Sigma detected: Suspicious Copy From or To System32
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: NanoCore |
---|
{"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
Click to see the 14 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> |
| |
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth |
| |
Click to see the 36 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: BlueMashroom DLL Load | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: NanoCore | Show sources |
Source: | Author: Joe Security: |
Sigma detected: NotPetya Ransomware Activity | Show sources |
Source: | Author: Florian Roth, Tom Ueltschi: |
Sigma detected: QBot Process Creation | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Scheduled temp file as task from temp location | Show sources |
Source: | Author: Joe Security: |
Sigma detected: Exchange Exploitation Activity | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Mustang Panda Dropper | Show sources |
Source: | Author: Florian Roth, oscd.community: |
Sigma detected: Raccine Uninstall | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Windows 10 Scheduled Task SandboxEscaper 0-day | Show sources |
Source: | Author: Olaf Hartong: |
Sigma detected: PowerShell Script Run in AppData | Show sources |
Source: | Author: Florian Roth, Jonhnathan Ribeiro, oscd.community: |
Sigma detected: Suspicious Copy From or To System32 | Show sources |
Source: | Author: Florian Roth, Markus Neis: |
Sigma detected: Change Default File Association | Show sources |
Source: | Author: Timur Zinniatullin, oscd.community: |
Sigma detected: Data Compressed - Powershell | Show sources |
Source: | Author: Timur Zinniatullin, oscd.community: |