Loading ...

Play interactive tourEdit tour

Analysis Report Copy#.exe

Overview

General Information

Sample Name:Copy#.exe
Analysis ID:403760
MD5:af64699ae611bd9008f11e0a087c4947
SHA1:42ffd0c3e267a347ec09a176fd81556bd5cd39b7
SHA256:501a63b52b27b41d2f100a37d38b3b5961b8e18298ed32104c7fc2323150eb5c
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Copy#.exe (PID: 6408 cmdline: 'C:\Users\user\Desktop\Copy#.exe' MD5: AF64699AE611BD9008F11E0A087C4947)
    • Copy#.exe (PID: 6688 cmdline: C:\Users\user\Desktop\Copy#.exe MD5: AF64699AE611BD9008F11E0A087C4947)
    • Copy#.exe (PID: 6748 cmdline: C:\Users\user\Desktop\Copy#.exe MD5: AF64699AE611BD9008F11E0A087C4947)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1db8cd6c-75e8-4b3e-9da8-7094ff2f", "Group": "LOG101", "Domain1": "103.28.70.172", "Domain2": "103.28.70.172", "Port": 34217, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1077d:$x1: NanoCore.ClientPluginHost
  • 0x4359d:$x1: NanoCore.ClientPluginHost
  • 0x761bd:$x1: NanoCore.ClientPluginHost
  • 0x107ba:$x2: IClientNetworkHost
  • 0x435da:$x2: IClientNetworkHost
  • 0x761fa:$x2: IClientNetworkHost
  • 0x142ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x4710d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x79d2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x104e5:$a: NanoCore
    • 0x104f5:$a: NanoCore
    • 0x10729:$a: NanoCore
    • 0x1073d:$a: NanoCore
    • 0x1077d:$a: NanoCore
    • 0x43305:$a: NanoCore
    • 0x43315:$a: NanoCore
    • 0x43549:$a: NanoCore
    • 0x4355d:$a: NanoCore
    • 0x4359d:$a: NanoCore
    • 0x75f25:$a: NanoCore
    • 0x75f35:$a: NanoCore
    • 0x76169:$a: NanoCore
    • 0x7617d:$a: NanoCore
    • 0x761bd:$a: NanoCore
    • 0x10544:$b: ClientPlugin
    • 0x10746:$b: ClientPlugin
    • 0x10786:$b: ClientPlugin
    • 0x43364:$b: ClientPlugin
    • 0x43566:$b: ClientPlugin
    • 0x435a6:$b: ClientPlugin
    Process Memory Space: Copy#.exe PID: 6408Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x494101:$x1: NanoCore.ClientPluginHost
    • 0x4b30f7:$x1: NanoCore.ClientPluginHost
    • 0x4d1ffe:$x1: NanoCore.ClientPluginHost
    • 0x494162:$x2: IClientNetworkHost
    • 0x4b3158:$x2: IClientNetworkHost
    • 0x4d205f:$x2: IClientNetworkHost
    • 0x499567:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4a74d9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4b855d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4c64cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4d7464:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4e53d6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Process Memory Space: Copy#.exe PID: 6408JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Copy#.exe.660b410.8.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x42dad:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x42dea:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      1.2.Copy#.exe.660b410.8.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x42b25:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x42dad:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x443e6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x443da:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x4528b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x4b042:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      • 0x42dd7:$s5: IClientLoggingHost
      1.2.Copy#.exe.660b410.8.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        1.2.Copy#.exe.660b410.8.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0x42b15:$a: NanoCore
        • 0x42b25:$a: NanoCore
        • 0x42d59:$a: NanoCore
        • 0x42d6d:$a: NanoCore
        • 0x42dad:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x42b74:$b: ClientPlugin
        • 0x42d76:$b: ClientPlugin
        • 0x42db6:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x42c9b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x436a2:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        1.2.Copy#.exe.65d85f0.9.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 10 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 1.2.Copy#.exe.660b410.8.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1db8cd6c-75e8-4b3e-9da8-7094ff2f", "Group": "LOG101", "Domain1": "103.28.70.172", "Domain2": "103.28.70.172", "Port": 34217, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: Copy#.exeJoe Sandbox ML: detected
        Source: Copy#.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49727 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49728 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49729 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49733 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49734 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49735 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49741 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49747 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49755 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49756 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49757 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49761 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49762 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49765 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49766 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49767 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49768 -> 103.28.70.172:34217
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: 103.28.70.172
        Connects to many ports of the same IP (likely port scanning)Show sources
        Source: global trafficTCP traffic: 103.28.70.172 ports 34217,1,2,3,4,7
        Source: global trafficTCP traffic: 192.168.2.6:49727 -> 103.28.70.172:34217
        Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_013745F01_2_013745F0
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_013704901_2_01370490
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_013738081_2_01373808
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_01372BC81_2_01372BC8
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_0137AEB31_2_0137AEB3
        Source: Copy#.exe, 00000001.00000002.380342730.0000000006424000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHIT.dll* vs Copy#.exe
        Source: Copy#.exe, 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnjq Gqh.exe2 vs Copy#.exe
        Source: Copy#.exe, 00000001.00000000.340758822.0000000000930000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
        Source: Copy#.exe, 00000004.00000000.356924223.00000000003F0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
        Source: Copy#.exe, 00000006.00000003.373150693.0000000001436000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Copy#.exe
        Source: Copy#.exe, 00000006.00000000.359234712.0000000000F10000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
        Source: Copy#.exeBinary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
        Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@0/1
        Source: C:\Users\user\Desktop\Copy#.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Copy#.exe.logJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1db8cd6c-75e8-4b3e-9da8-7094ff2fbff5}
        Source: Copy#.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Copy#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeFile read: C:\Users\user\Desktop\Copy#.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Copy#.exe 'C:\Users\user\Desktop\Copy#.exe'
        Source: C:\Users\user\Desktop\Copy#.exeProcess created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe
        Source: C:\Users\user\Desktop\Copy#.exeProcess created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe
        Source: C:\Users\user\Desktop\Copy#.exeProcess created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exeJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exeJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Copy#.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Copy#.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: Copy#.exeStatic file information: File size 1822208 > 1048576
        Source: Copy#.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1bc400
        Source: Copy#.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Copy#.exeStatic PE information: 0x84B8EC41 [Tue Jul 24 03:00:17 2040 UTC]
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_013770CA push esp; retf 1_2_013770CB

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Copy#.exeFile opened: C:\Users\user\Desktop\Copy#.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_01373777 rdtsc 1_2_01373777
        Source: C:\Users\user\Desktop\Copy#.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeWindow / User API: threadDelayed 3668Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeWindow / User API: threadDelayed 5788Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeWindow / User API: foregroundWindowGot 734Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeWindow / User API: foregroundWindowGot 651Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exe TID: 6488Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exe TID: 6812Thread sleep time: -20291418481080494s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: Copy#.exe, 00000006.00000003.410269307.000000000141E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJJ<)
        Source: C:\Users\user\Desktop\Copy#.exeProcess information queried: ProcessInformationJump to behavior