Loading ...

Play interactive tourEdit tour

Analysis Report CONTRACT.exe

Overview

General Information

Sample Name:CONTRACT.exe
Analysis ID:431926
MD5:02430d34be900990fbf6a7efe35a7c64
SHA1:00b40170c46ae026cf518588d5b6177538bb1036
SHA256:80ca460c629559cf38e1244983877ed9c041c636c1f2e7e388ae2f9ba4d06788
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • CONTRACT.exe (PID: 6344 cmdline: 'C:\Users\user\Desktop\CONTRACT.exe' MD5: 02430D34BE900990FBF6A7EFE35A7C64)
    • schtasks.exe (PID: 6092 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp99D6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • CONTRACT.exe (PID: 6168 cmdline: {path} MD5: 02430D34BE900990FBF6A7EFE35A7C64)
      • schtasks.exe (PID: 5892 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9F3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • CONTRACT.exe (PID: 4600 cmdline: C:\Users\user\Desktop\CONTRACT.exe 0 MD5: 02430D34BE900990FBF6A7EFE35A7C64)
    • schtasks.exe (PID: 6440 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp372F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • CONTRACT.exe (PID: 5952 cmdline: {path} MD5: 02430D34BE900990FBF6A7EFE35A7C64)
    • CONTRACT.exe (PID: 1388 cmdline: {path} MD5: 02430D34BE900990FBF6A7EFE35A7C64)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "30b6fbac-dd0d-47bd-b8ab-6df66b01", "Group": "Default", "Domain1": "kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu", "Domain2": "", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.415", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x236cb:$a: NanoCore
      • 0x23724:$a: NanoCore
      • 0x23761:$a: NanoCore
      • 0x237da:$a: NanoCore
      • 0x2372d:$b: ClientPlugin
      • 0x2376a:$b: ClientPlugin
      • 0x24068:$b: ClientPlugin
      • 0x24075:$b: ClientPlugin
      • 0x1b453:$e: KeepAlive
      • 0x23bb5:$g: LogClientMessage
      • 0x23b35:$i: get_Connected
      • 0x156fd:$j: #=q
      • 0x1572d:$j: #=q
      • 0x15769:$j: #=q
      • 0x15791:$j: #=q
      • 0x157c1:$j: #=q
      • 0x157f1:$j: #=q
      • 0x15821:$j: #=q
      • 0x15851:$j: #=q
      • 0x1586d:$j: #=q
      • 0x1589d:$j: #=q
      Click to see the 41 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      28.0.CONTRACT.exe.400000.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      28.0.CONTRACT.exe.400000.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      28.0.CONTRACT.exe.400000.1.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        28.0.CONTRACT.exe.400000.1.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        15.2.CONTRACT.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 76 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CONTRACT.exe, ProcessId: 6168, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CONTRACT.exe, ProcessId: 6168, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CONTRACT.exe, ProcessId: 6168, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CONTRACT.exe, ProcessId: 6168, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "30b6fbac-dd0d-47bd-b8ab-6df66b01", "Group": "Default", "Domain1": "kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu", "Domain2": "", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.415", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\QnctWeFrWlqq.exeReversingLabs: Detection: 36%
        Multi AV Scanner detection for submitted fileShow sources
        Source: CONTRACT.exeReversingLabs: Detection: 36%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CONTRACT.exe PID: 6168, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CONTRACT.exe PID: 1388, type: MEMORY
        Source: Yara matchFile source: 28.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.CONTRACT.exe.5b24629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.CONTRACT.exe.3deeb0c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CONTRACT.exe.da294b8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.CONTRACT.exe.3cf3135.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.CONTRACT.exe.3de9cd6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.CONTRACT.exe.5b20000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CONTRACT.exe.da294b8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.CONTRACT.exe.3deeb0c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.CONTRACT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.CONTRACT.exe.3ceeb0c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.CONTRACT.exe.46be418.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.CONTRACT.exe.46be418.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.CONTRACT.exe.3df3135.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\QnctWeFrWlqq.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: CONTRACT.exeJoe Sandbox ML: detected
        Source: 15.2.CONTRACT.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 28.0.CONTRACT.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.0.CONTRACT.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.2.CONTRACT.exe.5b20000.11.unpackAvira: Label: TR/NanoCore.fadte
        Source: 15.0.CONTRACT.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 28.0.CONTRACT.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 28.2.CONTRACT.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: CONTRACT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\CONTRACT.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: CONTRACT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: CONTRACT.exe, 00000000.00000002.331511150.0000000007640000.00000002.00000001.sdmp, CONTRACT.exe, 0000000F.00000002.507447877.0000000005710000.00000002.00000001.sdmp, CONTRACT.exe, 00000012.00000002.416976159.0000000006C60000.00000002.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu
        Source: global trafficTCP traffic: 192.168.2.5:49713 -> 185.140.53.135:1187
        Source: Joe Sandbox ViewIP Address: 185.140.53.135 185.140.53.135
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownDNS traffic detected: queries for: kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: CONTRACT.exe, 00000000.00000003.235560856.0000000005A80000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: CONTRACT.exe, 00000000.00000003.238068775.0000000005A7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
        Source: CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
        Source: CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
        Source: CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
        Source: CONTRACT.exe, 00000000.00000003.232678625.0000000005A8B000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: CONTRACT.exe, 00000000.00000003.232678625.0000000005A8B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com8
        Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000000.00000003.234802969.0000000005AAD000.00000004.00000001.sdmp, CONTRACT.exe, 00000000.00000003.235175021.0000000005A74000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmpString found in binary or memor