Loading ...

Play interactive tourEdit tour

Analysis Report 9n7miZydYC.exe

Overview

General Information

Sample Name:9n7miZydYC.exe
Analysis ID:431749
MD5:61de33a77d34a313df07dc2bdd28140a
SHA1:2690f84adb2c6174aab432a61737ca892af2d206
SHA256:9037afbf6a54684a77a6d0b204daa0a843555e01a9bd600545d8ae252b88fad7
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 9n7miZydYC.exe (PID: 780 cmdline: 'C:\Users\user\Desktop\9n7miZydYC.exe' MD5: 61DE33A77D34A313DF07DC2BDD28140A)
    • 9n7miZydYC.exe (PID: 1736 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)
      • schtasks.exe (PID: 4560 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC2C1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4356 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC67B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 9n7miZydYC.exe (PID: 4716 cmdline: C:\Users\user\Desktop\9n7miZydYC.exe 0 MD5: 61DE33A77D34A313DF07DC2BDD28140A)
    • 9n7miZydYC.exe (PID: 3040 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)
    • 9n7miZydYC.exe (PID: 4280 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)
    • 9n7miZydYC.exe (PID: 5752 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)
  • dhcpmon.exe (PID: 5508 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 61DE33A77D34A313DF07DC2BDD28140A)
    • dhcpmon.exe (PID: 2148 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)
  • dhcpmon.exe (PID: 5668 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 61DE33A77D34A313DF07DC2BDD28140A)
    • dhcpmon.exe (PID: 3504 cmdline: {path} MD5: 61DE33A77D34A313DF07DC2BDD28140A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f9198f9a-66a7-4bba-ab1c-dff8091c", "Group": "Default", "Domain1": "tzitziklishop.ddns.net", "Domain2": "tzitziklishop.ddns.net", "Port": 1665, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "37.235.1.177", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000000.383519060.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001F.00000000.383519060.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001F.00000000.383519060.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000001E.00000002.392510114.00000000042C9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000001E.00000002.392510114.00000000042C9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x435a5:$a: NanoCore
      • 0x435fe:$a: NanoCore
      • 0x4363b:$a: NanoCore
      • 0x436b4:$a: NanoCore
      • 0x56d5f:$a: NanoCore
      • 0x56d74:$a: NanoCore
      • 0x56da9:$a: NanoCore
      • 0x6fd63:$a: NanoCore
      • 0x6fd78:$a: NanoCore
      • 0x6fdad:$a: NanoCore
      • 0x43607:$b: ClientPlugin
      • 0x43644:$b: ClientPlugin
      • 0x43f42:$b: ClientPlugin
      • 0x43f4f:$b: ClientPlugin
      • 0x56b1b:$b: ClientPlugin
      • 0x56b36:$b: ClientPlugin
      • 0x56b66:$b: ClientPlugin
      • 0x56d7d:$b: ClientPlugin
      • 0x56db2:$b: ClientPlugin
      • 0x6fb1f:$b: ClientPlugin
      • 0x6fb3a:$b: ClientPlugin
      Click to see the 99 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      31.0.dhcpmon.exe.400000.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      31.0.dhcpmon.exe.400000.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      31.0.dhcpmon.exe.400000.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        31.0.dhcpmon.exe.400000.3.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        31.2.dhcpmon.exe.3c505fc.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0x287b1:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        • 0x287de:$x2: IClientNetworkHost