Analysis Report Copy#.exe

Overview

General Information

Sample Name: Copy#.exe
Analysis ID: 403760
MD5: af64699ae611bd9008f11e0a087c4947
SHA1: 42ffd0c3e267a347ec09a176fd81556bd5cd39b7
SHA256: 501a63b52b27b41d2f100a37d38b3b5961b8e18298ed32104c7fc2323150eb5c
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.2.Copy#.exe.660b410.8.raw.unpack Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1db8cd6c-75e8-4b3e-9da8-7094ff2f", "Group": "LOG101", "Domain1": "103.28.70.172", "Domain2": "103.28.70.172", "Port": 34217, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
Source: Yara match File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: Copy#.exe Joe Sandbox ML: detected
Source: Copy#.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49727 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49728 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49729 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49733 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49734 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49735 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49741 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49747 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49755 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49756 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49757 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49761 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49762 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49765 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49766 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49767 -> 103.28.70.172:34217
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49768 -> 103.28.70.172:34217
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 103.28.70.172
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 103.28.70.172 ports 34217,1,2,3,4,7
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49727 -> 103.28.70.172:34217
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HVC-ASUS HVC-ASUS
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown TCP traffic detected without corresponding DNS query: 103.28.70.172

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
Source: Yara match File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Detected potential crypto function
Source: C:\Users\user\Desktop\Copy#.exe Code function: 1_2_013745F0 1_2_013745F0
Source: C:\Users\user\Desktop\Copy#.exe Code function: 1_2_01370490 1_2_01370490
Source: C:\Users\user\Desktop\Copy#.exe Code function: 1_2_01373808 1_2_01373808
Source: C:\Users\user\Desktop\Copy#.exe Code function: 1_2_01372BC8 1_2_01372BC8
Source: C:\Users\user\Desktop\Copy#.exe Code function: 1_2_0137AEB3 1_2_0137AEB3
Sample file is different than original file name gathered from version info
Source: Copy#.exe, 00000001.00000002.380342730.0000000006424000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHIT.dll* vs Copy#.exe
Source: Copy#.exe, 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameEnjq Gqh.exe2 vs Copy#.exe
Source: Copy#.exe, 00000001.00000000.340758822.0000000000930000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
Source: Copy#.exe, 00000004.00000000.356924223.00000000003F0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
Source: Copy#.exe, 00000006.00000003.373150693.0000000001436000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Copy#.exe
Source: Copy#.exe, 00000006.00000000.359234712.0000000000F10000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
Source: Copy#.exe Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
Yara signature match
Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/5@0/1
Source: C:\Users\user\Desktop\Copy#.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Copy#.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{1db8cd6c-75e8-4b3e-9da8-7094ff2fbff5}
Source: Copy#.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Copy#.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe File read: C:\Users\user\Desktop\Copy#.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Copy#.exe 'C:\Users\user\Desktop\Copy#.exe'
Source: C:\Users\user\Desktop\Copy#.exe Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe
Source: C:\Users\user\Desktop\Copy#.exe Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe
Source: C:\Users\user\Desktop\Copy#.exe Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Copy#.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Copy#.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Copy#.exe Static file information: File size 1822208 > 1048576
Source: Copy#.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bc400
Source: Copy#.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: Copy#.exe Static PE information: 0x84B8EC41 [Tue Jul 24 03:00:17 2040 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Copy#.exe Code function: 1_2_013770CA push esp; retf 1_2_013770CB

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Copy#.exe File opened: C:\Users\user\Desktop\Copy#.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Copy#.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Copy#.exe Code function: 1_2_01373777 rdtsc 1_2_01373777
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Copy#.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Copy#.exe Window / User API: threadDelayed 3668 Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Window / User API: threadDelayed 5788 Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Window / User API: foregroundWindowGot 734 Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Window / User API: foregroundWindowGot 651 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Copy#.exe TID: 6488 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe TID: 6812 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Copy#.exe, 00000006.00000003.410269307.000000000141E000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJJ<)
Source: C:\Users\user\Desktop\Copy#.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Copy#.exe Code function: 1_2_01373777 rdtsc 1_2_01373777
Enables debug privileges
Source: C:\Users\user\Desktop\Copy#.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Copy#.exe Memory written: C:\Users\user\Desktop\Copy#.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Copy#.exe Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Copy#.exe Queries volume information: C:\Users\user\Desktop\Copy#.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Queries volume information: C:\Users\user\Desktop\Copy#.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
Source: Yara match File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: Copy#.exe, 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Copy#.exe, 00000006.00000003.373150693.0000000001436000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
Source: Yara match File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403760 Sample: Copy#.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 23 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->23 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 6 other signatures 2->29 6 Copy#.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\Local\...\Copy#.exe.log, ASCII 6->17 dropped 31 Injects a PE file into a foreign processes 6->31 10 Copy#.exe 9 6->10         started        15 Copy#.exe 6->15         started        signatures5 process6 dnsIp7 21 103.28.70.172, 34217, 49727, 49728 HVC-ASUS United States 10->21 19 C:\Users\user\AppData\Roaming\...\run.dat, data 10->19 dropped 33 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->33 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.28.70.172
 unknown United States
29802 HVC-ASUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
103.28.70.172 true
  • Avira URL Cloud: safe
 unknown