Play interactive tour

Edit tour

Analysis Report Copy#.exe

Overview

General Information

Sample Name:	Copy#.exe
Analysis ID:	403760
MD5:	af64699ae611bd9008f11e0a087c4947
SHA1:	42ffd0c3e267a347ec09a176fd81556bd5cd39b7
SHA256:	501a63b52b27b41d2f100a37d38b3b5961b8e18298ed32104c7fc2323150eb5c
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Copy#.exe (PID: 6408 cmdline: 'C:\Users\user\Desktop\Copy#.exe' MD5: AF64699AE611BD9008F11E0A087C4947)

Copy#.exe (PID: 6688 cmdline: C:\Users\user\Desktop\Copy#.exe MD5: AF64699AE611BD9008F11E0A087C4947)

Copy#.exe (PID: 6748 cmdline: C:\Users\user\Desktop\Copy#.exe MD5: AF64699AE611BD9008F11E0A087C4947)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1db8cd6c-75e8-4b3e-9da8-7094ff2f", "Group": "LOG101", "Domain1": "103.28.70.172", "Domain2": "103.28.70.172", "Port": 34217, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1077d:$x1: NanoCore.ClientPluginHost 0x4359d:$x1: NanoCore.ClientPluginHost 0x761bd:$x1: NanoCore.ClientPluginHost 0x107ba:$x2: IClientNetworkHost 0x435da:$x2: IClientNetworkHost 0x761fa:$x2: IClientNetworkHost 0x142ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4710d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79d2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x104e5:$a: NanoCore 0x104f5:$a: NanoCore 0x10729:$a: NanoCore 0x1073d:$a: NanoCore 0x1077d:$a: NanoCore 0x43305:$a: NanoCore 0x43315:$a: NanoCore 0x43549:$a: NanoCore 0x4355d:$a: NanoCore 0x4359d:$a: NanoCore 0x75f25:$a: NanoCore 0x75f35:$a: NanoCore 0x76169:$a: NanoCore 0x7617d:$a: NanoCore 0x761bd:$a: NanoCore 0x10544:$b: ClientPlugin 0x10746:$b: ClientPlugin 0x10786:$b: ClientPlugin 0x43364:$b: ClientPlugin 0x43566:$b: ClientPlugin 0x435a6:$b: ClientPlugin
Process Memory Space: Copy#.exe PID: 6408	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x494101:$x1: NanoCore.ClientPluginHost 0x4b30f7:$x1: NanoCore.ClientPluginHost 0x4d1ffe:$x1: NanoCore.ClientPluginHost 0x494162:$x2: IClientNetworkHost 0x4b3158:$x2: IClientNetworkHost 0x4d205f:$x2: IClientNetworkHost 0x499567:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4a74d9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4b855d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4c64cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4d7464:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4e53d6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Copy#.exe PID: 6408	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Copy#.exe PID: 6408	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493c06:$a: NanoCore 0x493c22:$a: NanoCore 0x493d7d:$a: NanoCore 0x493d8c:$a: NanoCore 0x494065:$a: NanoCore 0x494091:$a: NanoCore 0x494101:$a: NanoCore 0x4a3b43:$a: NanoCore 0x4a3b55:$a: NanoCore 0x4a3b91:$a: NanoCore 0x4b2bfc:$a: NanoCore 0x4b2c18:$a: NanoCore 0x4b2d73:$a: NanoCore 0x4b2d82:$a: NanoCore 0x4b305b:$a: NanoCore 0x4b3087:$a: NanoCore 0x4b30f7:$a: NanoCore 0x4c2b39:$a: NanoCore 0x4c2b4b:$a: NanoCore 0x4c2b87:$a: NanoCore 0x4d1b03:$a: NanoCore
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Copy#.exe.660b410.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.Copy#.exe.660b410.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42b25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42dad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x443e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x443da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4528b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4b042:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42dd7:$s5: IClientLoggingHost
1.2.Copy#.exe.660b410.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.Copy#.exe.660b410.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x436a2:$d: DESCrypto 0x1844e:$e: KeepAlive
1.2.Copy#.exe.65d85f0.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.Copy#.exe.65d85f0.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.Copy#.exe.65d85f0.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.Copy#.exe.65d85f0.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.Copy#.exe.660b410.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.Copy#.exe.660b410.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.Copy#.exe.660b410.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.Copy#.exe.660b410.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.Copy#.exe.65d85f0.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x75bcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x75c0a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7973d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.Copy#.exe.65d85f0.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.Copy#.exe.65d85f0.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0x75935:$a: NanoCore 0x75945:$a: NanoCore 0x75b79:$a: NanoCore 0x75b8d:$a: NanoCore 0x75bcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin
Click to see the 10 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.Copy#.exe.660b410.8.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1db8cd6c-75e8-4b3e-9da8-7094ff2f", "Group": "LOG101", "Domain1": "103.28.70.172", "Domain2": "103.28.70.172", "Port": 34217, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
Source: Yara match	File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Copy#.exe

Joe Sandbox ML: detected

Source: Copy#.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49727 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49728 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49729 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49733 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49734 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49735 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49741 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49747 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49755 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49756 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49757 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49761 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49762 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49765 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49766 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49767 -> 103.28.70.172:34217
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49768 -> 103.28.70.172:34217

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 103.28.70.172

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 103.28.70.172 ports 34217,1,2,3,4,7

Source: global traffic

TCP traffic: 192.168.2.6:49727 -> 103.28.70.172:34217

Source: Joe Sandbox View

ASN Name: HVC-ASUS HVC-ASUS

Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.28.70.172

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
Source: Yara match	File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\Copy#.exe	Code function: 1_2_013745F0
Source: C:\Users\user\Desktop\Copy#.exe	Code function: 1_2_01370490
Source: C:\Users\user\Desktop\Copy#.exe	Code function: 1_2_01373808
Source: C:\Users\user\Desktop\Copy#.exe	Code function: 1_2_01372BC8
Source: C:\Users\user\Desktop\Copy#.exe	Code function: 1_2_0137AEB3

Source: Copy#.exe, 00000001.00000002.380342730.0000000006424000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHIT.dll* vs Copy#.exe
Source: Copy#.exe, 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEnjq Gqh.exe2 vs Copy#.exe
Source: Copy#.exe, 00000001.00000000.340758822.0000000000930000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
Source: Copy#.exe, 00000004.00000000.356924223.00000000003F0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
Source: Copy#.exe, 00000006.00000003.373150693.0000000001436000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Copy#.exe
Source: Copy#.exe, 00000006.00000000.359234712.0000000000F10000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
Source: Copy#.exe	Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe

Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/5@0/1

Source: C:\Users\user\Desktop\Copy#.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Copy#.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Copy#.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{1db8cd6c-75e8-4b3e-9da8-7094ff2fbff5}

Source: Copy#.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Copy#.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Copy#.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Copy#.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Copy#.exe

File read: C:\Users\user\Desktop\Copy#.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Copy#.exe 'C:\Users\user\Desktop\Copy#.exe'
Source: C:\Users\user\Desktop\Copy#.exe	Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe
Source: C:\Users\user\Desktop\Copy#.exe	Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe
Source: C:\Users\user\Desktop\Copy#.exe	Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe
Source: C:\Users\user\Desktop\Copy#.exe	Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe

Source: C:\Users\user\Desktop\Copy#.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\Copy#.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Copy#.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Copy#.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Copy#.exe

Static file information: File size 1822208 > 1048576

Source: Copy#.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bc400

Source: Copy#.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Copy#.exe

Static PE information: 0x84B8EC41 [Tue Jul 24 03:00:17 2040 UTC]

Source: C:\Users\user\Desktop\Copy#.exe

Code function: 1_2_013770CA push esp; retf

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Copy#.exe

File opened: C:\Users\user\Desktop\Copy#.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\Copy#.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Copy#.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Copy#.exe

Code function: 1_2_01373777 rdtsc

Source: C:\Users\user\Desktop\Copy#.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Copy#.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Copy#.exe	Window / User API: threadDelayed 3668
Source: C:\Users\user\Desktop\Copy#.exe	Window / User API: threadDelayed 5788
Source: C:\Users\user\Desktop\Copy#.exe	Window / User API: foregroundWindowGot 734
Source: C:\Users\user\Desktop\Copy#.exe	Window / User API: foregroundWindowGot 651

Source: C:\Users\user\Desktop\Copy#.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Copy#.exe TID: 6812	Thread sleep time: -20291418481080494s >= -30000s

Source: C:\Users\user\Desktop\Copy#.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Copy#.exe	Thread delayed: delay time: 922337203685477

Source: Copy#.exe, 00000006.00000003.410269307.000000000141E000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJJ<)

Source: C:\Users\user\Desktop\Copy#.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Copy#.exe

Code function: 1_2_01373777 rdtsc

Source: C:\Users\user\Desktop\Copy#.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Copy#.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Copy#.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Copy#.exe

Memory written: C:\Users\user\Desktop\Copy#.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Copy#.exe	Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe
Source: C:\Users\user\Desktop\Copy#.exe	Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe

Source: C:\Users\user\Desktop\Copy#.exe	Queries volume information: C:\Users\user\Desktop\Copy#.exe VolumeInformation
Source: C:\Users\user\Desktop\Copy#.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Copy#.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Copy#.exe	Queries volume information: C:\Users\user\Desktop\Copy#.exe VolumeInformation
Source: C:\Users\user\Desktop\Copy#.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Copy#.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Copy#.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Copy#.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Copy#.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\Copy#.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Copy#.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
Source: Yara match	File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Copy#.exe, 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Copy#.exe, 00000006.00000003.373150693.0000000001436000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
Source: Yara match	File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection111	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Copy#.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
103.28.70.172	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
103.28.70.172	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.28.70.172	unknown	United States		29802	HVC-ASUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	403760
Start date:	04.05.2021
Start time:	11:44:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Copy#.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/5@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:45:39	API Interceptor	953x Sleep call for process: Copy#.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HVC-ASUS	4GGwmv0AJm.exe	Get hash	malicious	Browse	209.133.204.58
	10ba8cb2_by_Libranalysis.exe	Get hash	malicious	Browse	23.227.206.170
	Invoice_7418340.xlsm	Get hash	malicious	Browse	104.156.58.59
	Invoice_7418340.xlsm	Get hash	malicious	Browse	104.156.58.59
	Invoice_7418340.xlsm	Get hash	malicious	Browse	104.156.58.59
	2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware1.docm	Get hash	malicious	Browse	23.111.174.152
	2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware1.docm	Get hash	malicious	Browse	23.111.174.152
	2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware1.docm	Get hash	malicious	Browse	23.111.174.152
	aa6281eb-a31c-4e8b-a2c6-c5c03fdcbe57.exe	Get hash	malicious	Browse	46.21.153.81
	SA-NQAW12n-NC9W03-pdf.exe	Get hash	malicious	Browse	209.133.204.115
	o52k2obPCG.exe	Get hash	malicious	Browse	66.206.3.38
	pCkqlKXv05.exe	Get hash	malicious	Browse	66.206.3.38
	CNTR-NO-GLDU7267089.xlsx	Get hash	malicious	Browse	209.133.204.115
	9MZjR5LtAj.exe	Get hash	malicious	Browse	46.21.153.183
	Audio playback (5608701) for jsmith Nmaiom.htm	Get hash	malicious	Browse	66.206.10.106
	Sales Invoice no5283.exe	Get hash	malicious	Browse	209.133.204.250
	ORDER.exe	Get hash	malicious	Browse	104.156.59.2
	2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware.docm	Get hash	malicious	Browse	23.111.174.152
	2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware.docm	Get hash	malicious	Browse	23.111.174.152
	2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware.docm	Get hash	malicious	Browse	23.111.174.152

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Copy#.exe.log Download File
Process:	C:\Users\user\Desktop\Copy#.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.365622957937216
Encrypted:	false
SSDEEP:	24:MLUE4Ko84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MIHKov2HKXwYHKhQnoPtHoxHhAHKzva
MD5:	338D0004A254F4F1EB5A622B3FAF7E88
SHA1:	9583DBB0574416109507127BF9B8E153690B8C46
SHA-256:	3A7D5065DF406B210D72D7A927C2DE7F5A6F83B286D2C9915EDEB9A055C8C9D8
SHA-512:	AD33C713AD2DEDDCA9A5E0ACFB0569EBA3D817AC938628DCA17194A7B5842A93A5A8D6EC9F7B587203B2C844F823576EF5570363FEFE8C84CCA182456A188068
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\Copy#.exe
File Type:	data
Category:	dropped
Size (bytes):	1856
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
MD5:	838CD9DBC78EA45A5406EAE23962086D
SHA1:	C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
SHA-256:	6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
SHA-512:	F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\Copy#.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:bk8t:bk8
MD5:	5B00DB96B89970CBDDCAEBBFA6AD4D58
SHA1:	B08F9D9D8C046B29B4A560E33D88F67C2F571FB4
SHA-256:	D7C9437C80F95CCABB2F6BB0F20C3D098C2483BD3E1001026D52A4E73E1F3A69
SHA-512:	BA711E04C1443EF1F360B3F6D4765022B22FD5B83ED6109B19CFEDCC8BE5013B8FA473AF4F265DD62C4BA037E171966E33A714ED22123D0FABDA751E81617F0A
Malicious:	true
Reputation:	low
Preview:	2y..,..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\Copy#.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\Copy#.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.6067081010007884
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Copy#.exe
File size:	1822208
MD5:	af64699ae611bd9008f11e0a087c4947
SHA1:	42ffd0c3e267a347ec09a176fd81556bd5cd39b7
SHA256:	501a63b52b27b41d2f100a37d38b3b5961b8e18298ed32104c7fc2323150eb5c
SHA512:	ef23ff92afe2cb384bc978571d8e9247e611a39964002f277194fce46ec7e00d4583457d764c04ee0c62fe5c74266c79d22b92bff2d280711ff75bc774da2ad3
SSDEEP:	1536:aNEeB7PsACQwI9VaCVH/9/bT+xCsYnuW/mnPFJFWMszcazNLHLUOLlSKoaczzQ3O:a4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A............."...0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x5be39e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x84B8EC41 [Tue Jul 24 03:00:17 2040 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1be34c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c0000	0x588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1bc3a4	0x1bc400	False	0.197133181802	data	2.60174795099	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x1c0000	0x588	0x600	False	0.410807291667	data	4.01119485706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1c00a0	0x2fc	data
RT_MANIFEST	0x1c039c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021
Assembly Version	1.0.0.0
InternalName	hilal.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	hilal
ProductVersion	1.0.0.0
FileDescription	hilal
OriginalFilename	hilal.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/04/21-11:45:20.216550	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:20.251641	ICMP	449	ICMP Time-To-Live Exceeded in Transit			84.17.52.126	192.168.2.6
05/04/21-11:45:20.252957	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:20.290010	ICMP	449	ICMP Time-To-Live Exceeded in Transit			149.11.89.129	192.168.2.6
05/04/21-11:45:20.290792	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:20.326598	ICMP	449	ICMP Time-To-Live Exceeded in Transit			130.117.49.165	192.168.2.6
05/04/21-11:45:20.327880	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:20.368915	ICMP	449	ICMP Time-To-Live Exceeded in Transit			130.117.0.18	192.168.2.6
05/04/21-11:45:20.369301	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:20.415972	ICMP	449	ICMP Time-To-Live Exceeded in Transit			154.54.36.53	192.168.2.6
05/04/21-11:45:20.416454	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:20.463203	ICMP	449	ICMP Time-To-Live Exceeded in Transit			154.54.56.190	192.168.2.6
05/04/21-11:45:20.465748	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:20.517708	ICMP	449	ICMP Time-To-Live Exceeded in Transit			4.68.37.93	192.168.2.6
05/04/21-11:45:20.519187	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:24.405819	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:28.376610	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:32.375204	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:36.375067	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:40.375462	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:40.708307	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	34217	192.168.2.6	103.28.70.172
05/04/21-11:45:44.966234	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:46.949912	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	34217	192.168.2.6	103.28.70.172
05/04/21-11:45:48.876287	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:52.876793	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:45:53.291825	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49729	34217	192.168.2.6	103.28.70.172
05/04/21-11:45:56.877127	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:00.232140	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49733	34217	192.168.2.6	103.28.70.172
05/04/21-11:46:00.877289	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:04.877847	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:06.218768	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49734	34217	192.168.2.6	103.28.70.172
05/04/21-11:46:08.877883	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:12.885400	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:13.320081	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49735	34217	192.168.2.6	103.28.70.172
05/04/21-11:46:16.939440	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:20.878971	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:21.203480	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	34217	192.168.2.6	103.28.70.172
05/04/21-11:46:24.879134	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:28.187827	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	34217	192.168.2.6	103.28.70.172
05/04/21-11:46:28.879333	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:32.881672	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:34.320243	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49755	34217	192.168.2.6	103.28.70.172
05/04/21-11:46:37.133642	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:40.880997	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:42.572436	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49756	34217	192.168.2.6	103.28.70.172
05/04/21-11:46:44.880830	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:48.880948	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:49.372542	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49757	34217	192.168.2.6	103.28.70.172
05/04/21-11:46:52.981836	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:46:55.739945	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49761	34217	192.168.2.6	103.28.70.172
05/04/21-11:46:56.882094	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:47:00.881964	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:47:01.735251	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49762	34217	192.168.2.6	103.28.70.172
05/04/21-11:47:04.885279	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:47:08.886615	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:47:09.147477	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49765	34217	192.168.2.6	103.28.70.172
05/04/21-11:47:12.884610	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:47:16.614552	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49766	34217	192.168.2.6	103.28.70.172
05/04/21-11:47:16.884827	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:47:20.885348	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:47:23.325523	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49767	34217	192.168.2.6	103.28.70.172
05/04/21-11:47:24.886380	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:47:28.885885	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:47:30.326704	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49768	34217	192.168.2.6	103.28.70.172
05/04/21-11:47:32.888742	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121
05/04/21-11:47:36.886809	ICMP	384	ICMP PING			192.168.2.6	8.253.207.121

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 11:45:40.494663000 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:40.661083937 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:40.663245916 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:40.708307028 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:40.887003899 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:40.911681890 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.080354929 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.102931976 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.323589087 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.323632956 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.323657036 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.323682070 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.323712111 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.323748112 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.490267038 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.490307093 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.490331888 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.490355015 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.490372896 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.490380049 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.490406036 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.490417004 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.490428925 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.490452051 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.490464926 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.490500927 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.659442902 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659480095 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659507036 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659532070 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659539938 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.659557104 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659581900 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659605980 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659632921 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659657001 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.659658909 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659683943 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.659684896 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659709930 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659720898 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.659734964 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659759045 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659769058 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.659782887 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659806013 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659832001 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.659833908 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.659878969 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.673305988 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.828501940 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828531027 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828550100 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828569889 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828588009 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828607082 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828624964 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828648090 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.828654051 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828681946 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828701973 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.828711987 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828711987 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.828738928 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828758955 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828768969 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.828787088 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828809977 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828810930 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.828835011 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828845978 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.828866005 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828888893 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828897953 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.828915119 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828938007 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828952074 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.828958035 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.828965902 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828986883 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.828999043 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.829014063 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.829020023 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.829041958 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.829056978 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.829071045 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.829080105 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.829101086 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.829104900 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.829128027 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.829128981 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.829150915 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.829170942 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.829184055 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.829189062 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.829200983 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.829202890 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.829227924 CEST	34217	49727	103.28.70.172	192.168.2.6
May 4, 2021 11:45:41.829236984 CEST	49727	34217	192.168.2.6	103.28.70.172
May 4, 2021 11:45:41.829256058 CEST	34217	49727	103.28.70.172	192.168.2.6

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Copy#.exe PID: 6408 Parent PID: 5944

General

Start time:	11:45:27
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\Copy#.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Copy#.exe'
Imagebase:	0x770000
File size:	1822208 bytes
MD5 hash:	AF64699AE611BD9008F11E0A087C4947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: Copy#.exe PID: 6688 Parent PID: 6408

General

Start time:	11:45:35
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\Copy#.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Copy#.exe
Imagebase:	0x230000
File size:	1822208 bytes
MD5 hash:	AF64699AE611BD9008F11E0A087C4947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Copy#.exe PID: 6748 Parent PID: 6408

General

Start time:	11:45:36
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\Copy#.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Copy#.exe
Imagebase:	0xd50000
File size:	1822208 bytes
MD5 hash:	AF64699AE611BD9008F11E0A087C4947
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Copy#.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Code Manipulations