Loading ...

Play interactive tourEdit tour

Analysis Report dYy3yfSkwY.exe

Overview

General Information

Sample Name:dYy3yfSkwY.exe
Analysis ID:432605
MD5:3deb8b7e51c21cba0c2c723c5af953dd
SHA1:f98809b1b883912d278f7eaf64d7eedfaee1ef5a
SHA256:c0503f7c65391a5be8030bbaaf6c17260fa67e40a3fcc23b84c26610c266008b
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • dYy3yfSkwY.exe (PID: 6108 cmdline: 'C:\Users\user\Desktop\dYy3yfSkwY.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)
    • dYy3yfSkwY.exe (PID: 668 cmdline: 'C:\Users\user\Desktop\dYy3yfSkwY.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)
  • opjlpsercy.exe (PID: 3724 cmdline: 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)
    • opjlpsercy.exe (PID: 4520 cmdline: 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)
  • opjlpsercy.exe (PID: 5892 cmdline: 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x251e5:$x1: NanoCore.ClientPluginHost
  • 0x25222:$x2: IClientNetworkHost
  • 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x24f4d:$a: NanoCore
    • 0x24f5d:$a: NanoCore
    • 0x25191:$a: NanoCore
    • 0x251a5:$a: NanoCore
    • 0x251e5:$a: NanoCore
    • 0x24fac:$b: ClientPlugin
    • 0x251ae:$b: ClientPlugin
    • 0x251ee:$b: ClientPlugin
    • 0x250d3:$c: ProjectData
    • 0x25ada:$d: DESCrypto
    • 0x2d4a6:$e: KeepAlive
    • 0x2b494:$g: LogClientMessage
    • 0x2768f:$i: get_Connected
    • 0x25e10:$j: #=q
    • 0x25e40:$j: #=q
    • 0x25e5c:$j: #=q
    • 0x25e8c:$j: #=q
    • 0x25ea8:$j: #=q
    • 0x25ec4:$j: #=q
    • 0x25ef4:$j: #=q
    • 0x25f10:$j: #=q
    0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x139f05:$a: NanoCore
      • 0x139f5e:$a: NanoCore
      • 0x139f9b:$a: NanoCore
      • 0x13a014:$a: NanoCore
      • 0x142ae8:$a: NanoCore
      • 0x142b0d:$a: NanoCore
      • 0x142b66:$a: NanoCore
      • 0x152d03:$a: NanoCore
      • 0x152d29:$a: NanoCore
      • 0x152d85:$a: NanoCore
      • 0x15fbda:$a: NanoCore
      • 0x15fc33:$a: NanoCore
      • 0x15fc66:$a: NanoCore
      • 0x15fe92:$a: NanoCore
      • 0x15ff0e:$a: NanoCore
      • 0x160527:$a: NanoCore
      • 0x160670:$a: NanoCore
      • 0x160b44:$a: NanoCore
      • 0x160e2b:$a: NanoCore
      • 0x160e42:$a: NanoCore
      • 0x1663e0:$a: NanoCore
      Click to see the 38 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.opjlpsercy.exe.3ab7184.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x6da5:$x1: NanoCore.ClientPluginHost
      • 0x6dd2:$x2: IClientNetworkHost
      11.2.opjlpsercy.exe.3ab7184.8.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x6da5:$x2: NanoCore.ClientPluginHost
      • 0x7d74:$s2: FileCommand
      • 0xc776:$s4: PipeCreated
      • 0x6dbf:$s5: IClientLoggingHost
      11.2.opjlpsercy.exe.290b950.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x2dbb:$x1: NanoCore.ClientPluginHost
      • 0x2de5:$x2: IClientNetworkHost
      11.2.opjlpsercy.exe.290b950.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x2dbb:$x2: NanoCore.ClientPluginHost
      • 0x4c6b:$s4: PipeCreated
      7.2.opjlpsercy.exe.9810000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x215e5:$x1: NanoCore.ClientPluginHost
      • 0x21622:$x2: IClientNetworkHost
      • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 105 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\dYy3yfSkwY.exe, ProcessId: 668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\dYy3yfSkwY.exe, ProcessId: 668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\dYy3yfSkwY.exe, ProcessId: 668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\dYy3yfSkwY.exe, ProcessId: 668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: wekeepworking.sytes.netVirustotal: Detection: 7%Perma Link
      Source: wekeepworking.sytes.netVirustotal: Detection: 7%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exeReversingLabs: Detection: 34%
      Multi AV Scanner detection for submitted fileShow sources
      Source: dYy3yfSkwY.exeVirustotal: Detection: 19%Perma Link
      Source: dYy3yfSkwY.exeReversingLabs: Detection: 34%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000B.00000002.317958007.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.319773965.000000000396D000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.320311850.0000000004B02000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000001.299993586.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.320200858.0000000004A70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000001.251399209.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.320124108.00000000049E7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.308184070.0000000009810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.319677498.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.254544184.0000000002180000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: opjlpsercy.exe PID: 3724, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: opjlpsercy.exe PID: 4520, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dYy3yfSkwY.exe PID: 668, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dYy3yfSkwY.exe PID: 6108, type: MEMORY
      Source: Yara matchFile source: 7.2.opjlpsercy.exe.9810000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.4a70000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.opjlpsercy.exe.9821458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.4a70000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.dYy3yfSkwY.exe.2191458.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.3ab7184.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.dYy3yfSkwY.exe.2180000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.1.dYy3yfSkwY.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.1.dYy3yfSkwY.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.38e3258.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.dYy3yfSkwY.exe.2180000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.3aa6126.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.opjlpsercy.exe.9810000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.38e3258.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.opjlpsercy.exe.9821458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.1.dYy3yfSkwY.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.dYy3yfSkwY.exe.2191458.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.4b00000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.opjlpsercy.exe.3aaaf52.6.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: dYy3yfSkwY.exeJoe Sandbox ML: detected
      Source: 0.2.dYy3yfSkwY.exe.9920000.6.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 11.2.opjlpsercy.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 7.2.opjlpsercy.exe.40ff3e.2.unpackAvira: Label: ADWARE/Patched.Ren.Gen7
      Source: 11.1.opjlpsercy.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 0.2.dYy3yfSkwY.exe.40ff3e.2.unpackAvira: Label: ADWARE/Patched.Ren.Gen7
      Source: 3.1.dYy3yfSkwY.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 11.2.opjlpsercy.exe.4b00000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Compliance:

      bar