Loading ...

Play interactive tourEdit tour

Analysis Report #RFQ ORDER484475577797.exe

Overview

General Information

Sample Name:#RFQ ORDER484475577797.exe
Analysis ID:431672
MD5:18e38261e8ea6ae0077c5448f809ccb6
SHA1:bbfaf42987014ba9571c75d1982843d7ad7155ac
SHA256:3cb5c285d5e7f163c9764ef3e99467f5460b7f704c996ffa8e5e2982a2a86693
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • #RFQ ORDER484475577797.exe (PID: 4364 cmdline: 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe' MD5: 18E38261E8EA6AE0077C5448F809CCB6)
    • powershell.exe (PID: 5616 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6052 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5728 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LNSXWuepjsOA' /XML 'C:\Users\user\AppData\Local\Temp\tmp5439.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3292 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • #RFQ ORDER484475577797.exe (PID: 1048 cmdline: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe MD5: 18E38261E8EA6AE0077C5448F809CCB6)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "44a4f7d4-4e07-4399-aab5-6ba6b60e", "Group": "bb", "Domain1": "194.5.98.120", "Domain2": "joseedward5001.ddns.net", "Port": 1604, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x8ba5:$x1: NanoCore.ClientPluginHost
  • 0x8bd2:$x2: IClientNetworkHost
0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x8ba5:$x2: NanoCore.ClientPluginHost
  • 0x9b74:$s2: FileCommand
  • 0xe576:$s4: PipeCreated
  • 0x8bbf:$s5: IClientLoggingHost
00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x55dd7:$a: NanoCore
    • 0x55ec1:$a: NanoCore
    • 0x56d38:$a: NanoCore
    • 0x5fee2:$a: NanoCore
    • 0x5ff43:$a: NanoCore
    • 0x5ff86:$a: NanoCore
    • 0x5ffc6:$a: NanoCore
    • 0x60202:$a: NanoCore
    • 0x602a2:$a: NanoCore
    • 0x60a7a:$a: NanoCore
    • 0x6106d:$a: NanoCore
    • 0x611be:$a: NanoCore
    • 0x62018:$a: NanoCore
    • 0x6227f:$a: NanoCore
    • 0x62294:$a: NanoCore
    • 0x622b3:$a: NanoCore
    • 0x6b1b6:$a: NanoCore
    • 0x6b1df:$a: NanoCore
    • 0x76f58:$a: NanoCore
    • 0x76f81:$a: NanoCore
    • 0x9be44:$a: NanoCore
    0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x7aa6a:$a: NanoCore
    • 0x7aa8f:$a: NanoCore
    • 0x7aae8:$a: NanoCore
    • 0x8accf:$a: NanoCore
    • 0x8acf5:$a: NanoCore
    • 0x8ad51:$a: NanoCore
    • 0x97beb:$a: NanoCore
    • 0x97c44:$a: NanoCore
    • 0x97c77:$a: NanoCore
    • 0x97ea3:$a: NanoCore
    • 0x97f1f:$a: NanoCore
    • 0x98538:$a: NanoCore
    • 0x98681:$a: NanoCore
    • 0x98b55:$a: NanoCore
    • 0x98e3c:$a: NanoCore
    • 0x98e53:$a: NanoCore
    • 0xa1d37:$a: NanoCore
    • 0xa1db3:$a: NanoCore
    • 0xa4696:$a: NanoCore
    • 0xa9ca1:$a: NanoCore
    • 0xa9d1b:$a: NanoCore
    Click to see the 51 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    10.2.#RFQ ORDER484475577797.exe.6560000.32.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x16e3:$x1: NanoCore.ClientPluginHost
    • 0x171c:$x2: IClientNetworkHost
    10.2.#RFQ ORDER484475577797.exe.6560000.32.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x16e3:$x2: NanoCore.ClientPluginHost
    • 0x1800:$s4: PipeCreated
    • 0x16fd:$s5: IClientLoggingHost
    10.2.#RFQ ORDER484475577797.exe.5e14629.29.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    Click to see the 159 entries

    Sigma Overview

    AV Detection:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe, ProcessId: 1048, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe, ProcessId: 1048, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    System Summary:

    barindex
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe' , ParentImage: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe, ParentProcessId: 4364, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe', ProcessId: 5616

    Stealing of Sensitive Information:

    bar