Loading ...

Play interactive tourEdit tour

Windows Analysis Report WrNhr6yUD8.exe

Overview

General Information

Sample Name:WrNhr6yUD8.exe
Analysis ID:452096
MD5:fb64fc2471a48928b7989f7e959de261
SHA1:334f95083ee83d20255b87e0bfd4aae86a922d20
SHA256:cc536d630284e622821d1034fadec488cb35dc72bdfb75edbd184a638d052f98
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WrNhr6yUD8.exe (PID: 896 cmdline: 'C:\Users\user\Desktop\WrNhr6yUD8.exe' MD5: FB64FC2471A48928B7989F7E959DE261)
    • WrNhr6yUD8.exe (PID: 5916 cmdline: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe MD5: FB64FC2471A48928B7989F7E959DE261)
  • dhcpmon.exe (PID: 5660 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: FB64FC2471A48928B7989F7E959DE261)
    • dhcpmon.exe (PID: 612 cmdline: C:\Users\user\AppData\Local\Temp\dhcpmon.exe MD5: FB64FC2471A48928B7989F7E959DE261)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b0b:$x1: NanoCore.ClientPluginHost
  • 0x5b44:$x2: IClientNetworkHost
0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b0b:$x2: NanoCore.ClientPluginHost
  • 0x5c0f:$s4: PipeCreated
  • 0x5b25:$s5: IClientLoggingHost
0000000E.00000002.507076827.0000000007480000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x8ba5:$x1: NanoCore.ClientPluginHost
  • 0x8bd2:$x2: IClientNetworkHost
0000000E.00000002.507076827.0000000007480000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x8ba5:$x2: NanoCore.ClientPluginHost
  • 0x9b74:$s2: FileCommand
  • 0xe576:$s4: PipeCreated
  • 0x8bbf:$s5: IClientLoggingHost
0000000E.00000002.507595922.0000000007590000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5fee:$x1: NanoCore.ClientPluginHost
  • 0x602b:$x2: IClientNetworkHost
Click to see the 46 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
14.2.WrNhr6yUD8.exe.74d0000.26.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b0b:$x1: NanoCore.ClientPluginHost
  • 0x5b44:$x2: IClientNetworkHost
14.2.WrNhr6yUD8.exe.74d0000.26.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b0b:$x2: NanoCore.ClientPluginHost
  • 0x5c0f:$s4: PipeCreated
  • 0x5b25:$s5: IClientLoggingHost
14.2.WrNhr6yUD8.exe.44b9930.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1f1db:$x1: NanoCore.ClientPluginHost
  • 0x1f1f5:$x2: IClientNetworkHost
14.2.WrNhr6yUD8.exe.44b9930.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1f1db:$x2: NanoCore.ClientPluginHost
  • 0x22518:$s4: PipeCreated
  • 0x1f1c8:$s5: IClientLoggingHost
14.2.WrNhr6yUD8.exe.7590000.36.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5fee:$x1: NanoCore.ClientPluginHost
  • 0x602b:$x2: IClientNetworkHost
Click to see the 154 entries

Sigma Overview

AV Detection:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeReversingLabs: Detection: 21%
Multi AV Scanner detection for submitted fileShow sources
Source: WrNhr6yUD8.exeVirustotal: Detection: 30%Perma Link
Source: WrNhr6yUD8.exeReversingLabs: Detection: 21%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.451d051.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4518a28.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c70000.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412ff3c.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.dhcpmon.exe.3f37128.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4518a28.8.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412ff3c.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c74629.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.4134565.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c70000.20.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412b106.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4504565.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.WrNhr6yUD8.exe.38f6908.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.dhcpmon.exe.3f37128.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4630889.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.463cabd.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.46510ea.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.WrNhr6yUD8.exe.38f6908.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.504364191.0000000004501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.424776175.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.500382926.00000000034B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeJoe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: WrNhr6yUD8.exeJoe Sandbox ML: detected
Source: 14.2.WrNhr6yUD8.exe.4518a28.8.unpackAvira: Label: TR/NanoCore.fadte
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.WrNhr6yUD8.exe.5c70000.20.unpackAvira: Label: TR/NanoCore.fadte
Source: 22.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: WrNhr6yUD8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: WrNhr6yUD8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]14_2_065EB1B0
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]14_2_065EFE48

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49714 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49716 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49718 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49729 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49730 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49734 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49735 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49736 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49737 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 37.0.8.214:8234
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: hhjhtggfr.duckdns.org