Loading ...

Play interactive tourEdit tour

Analysis Report xtxr8lHa5F.exe

Overview

General Information

Sample Name:xtxr8lHa5F.exe
Analysis ID:432024
MD5:c89c05d0f2853fa30b535aa2544006e5
SHA1:2e3a6adc296d26732a3c61ac761052b8793f7da0
SHA256:b2ec2e506bc9741873e39cc6fdc07802a1180136657582ae807d5f6112cfc02a
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xtxr8lHa5F.exe (PID: 5352 cmdline: 'C:\Users\user\Desktop\xtxr8lHa5F.exe' MD5: C89C05D0F2853FA30B535AA2544006E5)
    • schtasks.exe (PID: 3696 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rOKWrJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp76E9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 5260 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
    • MSBuild.exe (PID: 5268 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
      • schtasks.exe (PID: 5020 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp604E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 3564 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6502.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MSBuild.exe (PID: 3508 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 1180 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 3776 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ab394965-c5ce-4154-ad1c-da01ecc2", "Group": "Mamie", "Domain1": "82.64.141.173", "Domain2": "82.64.141.173", "Port": 6666, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x59eb:$x1: NanoCore.ClientPluginHost
  • 0x5b48:$x2: IClientNetworkHost
00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x59eb:$x2: NanoCore.ClientPluginHost
  • 0x6941:$s3: PipeExists
  • 0x5be1:$s4: PipeCreated
  • 0x5a05:$s5: IClientLoggingHost
00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 49 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    19.2.MSBuild.exe.6a00000.19.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    19.2.MSBuild.exe.6a00000.19.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    19.2.MSBuild.exe.6990000.14.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x605:$x1: NanoCore.ClientPluginHost
    • 0x63e:$x2: IClientNetworkHost
    19.2.MSBuild.exe.6990000.14.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x605:$x2: NanoCore.ClientPluginHost
    • 0x720:$s4: PipeCreated
    • 0x61f:$s5: IClientLoggingHost
    19.2.MSBuild.exe.69a0000.15.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x13a8:$x1: NanoCore.ClientPluginHost
    Click to see the 94 entries

    Sigma Overview

    AV Detection:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5268, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5268, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Stealing of Sensitive Information:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5268, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5268, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 19.2.MSBuild.exe.4182eb4.6.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ab394965-c5ce-4154-ad1c-da01ecc2", "Group": "Mamie", "Domain1": "82.64.141.173", "Domain2": "82.64.141.173", "Port": 6666, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\rOKWrJ.exeMetadefender: Detection: 34%Perma Link
    Source: C:\Users\user\AppData\Roaming\rOKWrJ.exeReversingLabs: Detection: 65%
    Multi AV Scanner detection for submitted fileShow sources
    Source: xtxr8lHa5F.exeVirustotal: Detection: 50%Perma Link
    Source: xtxr8lHa5F.exeMetadefender: Detection: 34%Perma Link
    Source: xtxr8lHa5F.exeReversingLabs: Detection: 65%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: xtxr8lHa5F.exe PID: 5352, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORY
    Source: Yara matchFile source: 19.2.MSBuild.exe.6a10000.21.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 19.2.MSBuild.exe.6a10000.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 19.2.MSBuild.exe.6a14629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 19.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.xtxr8lHa5F.exe.47d1b78.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 19.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 19.2.MSBuild.exe.4171e56.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 19.2.MSBuild.exe.4182eb4.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 19.2.MSBuild.exe.4176c82.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack, type: UNPACKEDPE
    Source: 19.2.MSBuild.exe.6a10000.21.unpackAvira: Label: TR/NanoCore.fadte
    Source: 19.0.MSBuild.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 19.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 19.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: xtxr8lHa5F.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: xtxr8lHa5F.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: mscorlib.pdb source: MSBuild.exe, 00000013.00000002.481813725.0000000001373000.00000004.00000020.sdmp
    Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\fcghDRQpfO\src\obj\Debug\PH8v.pdbh source: xtxr8lHa5F.exe
    Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.19.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe
    Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000013.00000002.481813725.0000000001373000.00000004.00000020.sdmp, dhcpmon.exe, 0000001A.00000002.312274650.0000000000602000.00000002.00020000.sdmp, dhcpmon.exe, 0000001D.00000002.326402171.00000000001E2000.00000002.00020000.sdmp, dhcpmon.exe.19.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\fcghDRQpfO\src\obj\Debug\PH8v.pdb source: xtxr8lHa5F.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]19_2_071F0838
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]19_2_071F0828
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]19_2_071F089E

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 82.64.141.173:6666
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 82.64.141.173:6666
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 82.64.141.173:6666
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 82.64.141.173:6666
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 82.64.