Loading ...

Play interactive tourEdit tour

Windows Analysis Report 01_extracted.exe

Overview

General Information

Sample Name:01_extracted.exe
Analysis ID:483429
MD5:59f356092b9f54b4ee5563a2fb8a3255
SHA1:252ee78cd1597581b9dc14253a77526ef344af38
SHA256:2206669cc770b99bfdcc44079e5f218a3b4161c7c973f652d6a497a58031bf1d
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected Nanocore RAT
Detected Nanocore Rat
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Uses dynamic DNS services
.NET source code contains potential unpacker
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • 01_extracted.exe (PID: 2392 cmdline: 'C:\Users\user\Desktop\01_extracted.exe' MD5: 59F356092B9F54B4EE5563A2FB8A3255)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "af905a54-91e0-44a6-90a1-2d1125da", "Group": "septe123", "Domain1": "sunnysept.duckdns.org", "Domain2": "sunnysept.duckdns.org", "Port": 5500, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
01_extracted.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
01_extracted.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
01_extracted.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    01_extracted.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      Process Memory Space: 01_extracted.exe PID: 2392Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb485:$x1: NanoCore.ClientPluginHost
      • 0xb4c2:$x2: IClientNetworkHost
      • 0xefb3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x1a039:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Process Memory Space: 01_extracted.exe PID: 2392JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.01_extracted.exe.260000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.0.01_extracted.exe.260000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        0.0.01_extracted.exe.260000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.0.01_extracted.exe.260000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\01_extracted.exe, ProcessId: 2392, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\01_extracted.exe, ProcessId: 2392, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\01_extracted.exe, ProcessId: 2392, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\01_extracted.exe, ProcessId: 2392, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: 01_extracted.exeAvira: detected
          Found malware configurationShow sources
          Source: 0.0.01_extracted.exe.260000.0.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "af905a54-91e0-44a6-90a1-2d1125da", "Group": "septe123", "Domain1": "sunnysept.duckdns.org", "Domain2": "sunnysept.duckdns.org", "Port": 5500, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 01_extracted.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.01_extracted.exe.260000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 01_extracted.exe PID: 2392, type: MEMORYSTR
          Machine Learning detection for sampleShow sources
          Source: 01_extracted.exeJoe Sandbox ML: detected
          Source: 0.0.01_extracted.exe.260000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 01_extracted.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: C:\Users\user\Desktop\01_extracted.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49767 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49773 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49774 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49777 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49783 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49786 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49787 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49788 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49790 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49795 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49797 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49798 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49799 -> 194.147.140.14:5500
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49800 -> 194.147.140.14:5500
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: sunnysept.duckdns.org
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: sunnysept.duckdns.org
          Source: global trafficTCP traffic: 192.168.2.3:49733 -> 194.147.140.14:5500
          Source: Joe Sandbox ViewASN Name: PTPEU PTPEU
          Source: unknownDNS traffic detected: queries for: sunnysept.duckdns.org

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 01_extracted.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.01_extracted.exe.260000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 01_extracted.exe PID: 2392, type: MEMORYSTR

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 01_extracted.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 01_extracted.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.0.01_extracted.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.0.01_extracted.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: 01_extracted.exe PID: 2392, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: 01_extracted.exe PID: 2392, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 01_extracted.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 01_extracted.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 01_extracted.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 01_extracted.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.0.01_extracted.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.0.01_extracted.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.0.01_extracted.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: 01_extracted.exe PID: 2392, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: 01_extracted.exe PID: 2392, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 01_extracted.exeStatic PE information: Section: .rsrc ZLIB complexity 0.999732142857
          Source: C:\Users\user\Desktop\01_extracted.exeFile read: C:\Users\user\Desktop\01_extracted.exeJump to behavior
          Source: 01_extracted.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\01_extracted.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\01_extracted.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\01_extracted.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\01_extracted.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\Desktop\01_extracted.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
          Source: C:\Users\user\Desktop\01_extracted.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{af905a54-91e0-44a6-90a1-2d1125da804b}
          Source: C:\Users\user\Desktop\01_extracted.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Users\user\Desktop\01_extracted.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@22/1
          Source: 01_extracted.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 01_extracted.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 01_extracted.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.01_extracted.exe.260000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.01_extracted.exe.260000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.0.01_extracted.exe.260000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 01_extracted.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 01_extracted.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.0.01_extracted.exe.260000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 0.0.01_extracted.exe.260000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: C:\Users\user\Desktop\01_extracted.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
          Source: 01_extracted.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\01_extracted.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 01_extracted.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 01_extracted.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.01_extracted.exe.260000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.01_extracted.exe.260000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 01_extracted.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 01_extracted.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 0.0.01_extracted.exe.260000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 0.0.01_extracted.exe.260000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\01_extracted.exeFile opened: C:\Users\user\Desktop\01_extracted.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\01_extracted.exeWindow / User API: threadDelayed 364
          Source: C:\Users\user\Desktop\01_extracted.exeWindow / User API: foregroundWindowGot 1016
          Source: C:\Users\user\Desktop\01_extracted.exe TID: 1536Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Users\user\Desktop\01_extracted.exe TID: 5380Thread sleep time: -32000s >= -30000s
          Source: C:\Users\user\Desktop\01_extracted.exe TID: 1836Thread sleep time: -40000s >= -30000s
          Source: C:\Users\user\Desktop\01_extracted.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\01_extracted.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\01_extracted.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\01_extracted.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\01_extracted.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\01_extracted.exeMemory allocated: page read and write | page guard
          Source: C:\Users\user\Desktop\01_extracted.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 01_extracted.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.01_extracted.exe.260000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 01_extracted.exe PID: 2392, type: MEMORYSTR

          Remote Access Functionality:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 01_extracted.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.01_extracted.exe.260000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 01_extracted.exe PID: 2392, type: MEMORYSTR
          Detected Nanocore RatShow sources
          Source: 01_extracted.exe, 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: 01_extracted.exeString found in binary or memory: NanoCore.ClientPluginHost

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionMasquerading1OS Credential DumpingProcess Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing12Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          01_extracted.exe100%AviraTR/Dropper.MSIL.Gen7
          01_extracted.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.0.01_extracted.exe.260000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          SourceDetectionScannerLabelLink
          sunnysept.duckdns.org2%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          sunnysept.duckdns.org2%VirustotalBrowse
          sunnysept.duckdns.org0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          sunnysept.duckdns.org
          194.147.140.14
          truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          sunnysept.duckdns.orgtrue
          • 2%, Virustotal, Browse
          • Avira URL Cloud: safe
          unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          194.147.140.14
          sunnysept.duckdns.orgunknown
          47285PTPEUtrue

          General Information

          Joe Sandbox Version:33.0.0 White Diamond
          Analysis ID:483429
          Start date:15.09.2021
          Start time:00:26:08
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 5m 15s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:01_extracted.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:23
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@1/2@22/1
          EGA Information:Failed
          HDC Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • TCP Packets have been reduced to 100
          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.209.183, 40.112.88.60, 20.82.210.154, 80.67.82.235, 80.67.82.211, 23.203.80.193, 51.104.136.2, 20.50.102.62
          • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          00:27:00API Interceptor1046x Sleep call for process: 01_extracted.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          sunnysept.duckdns.org83736354Invoicereceipt.vbsGet hashmaliciousBrowse
          • 198.23.251.21

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          PTPEUB4D3E2A30B09D1F2F33476F5234BD7A045973DDBC41A7.exeGet hashmaliciousBrowse
          • 194.147.140.8
          18-ITEMS-RECEIPT.vbsGet hashmaliciousBrowse
          • 194.147.140.20
          7-Items-receipt.vbsGet hashmaliciousBrowse
          • 194.147.140.20
          9 ITEMS INVOICE RECEIPT.vbsGet hashmaliciousBrowse
          • 194.147.140.20
          15 Items Receipt.vbsGet hashmaliciousBrowse
          • 194.147.140.20
          14 Items receipt.vbsGet hashmaliciousBrowse
          • 194.147.140.20
          16 Items receipt.vbsGet hashmaliciousBrowse
          • 194.147.140.20
          SPT DRINGENDE BESTELLUNG _876453,pdf.exeGet hashmaliciousBrowse
          • 194.147.140.9
          41-Items-invoice.vbsGet hashmaliciousBrowse
          • 194.147.140.20
          Confirmaci#U00f3n del pedido- No HD10103,pdf.exeGet hashmaliciousBrowse
          • 194.147.140.9
          SPT DRINGENDE BESTELLUNG _8764,pdf.exeGet hashmaliciousBrowse
          • 194.147.140.9
          8 Items invoice.vbsGet hashmaliciousBrowse
          • 194.147.140.20
          heimatec RFQ 4556_ DRINGEND,pdf.exeGet hashmaliciousBrowse
          • 194.147.140.9
          Confirmarea comenzii noi-4019,pdf.exeGet hashmaliciousBrowse
          • 194.147.140.9
          vuaXoDsazgGet hashmaliciousBrowse
          • 194.147.142.145
          dsMBH5SmxLGet hashmaliciousBrowse
          • 194.147.142.145
          YIupXk5F7bGet hashmaliciousBrowse
          • 194.147.142.145
          pvbuEVYCUBGet hashmaliciousBrowse
          • 194.147.142.145
          1jTsJsy5b8Get hashmaliciousBrowse
          • 194.147.142.145
          fpAHzxlGRnGet hashmaliciousBrowse
          • 194.147.142.145

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
          Process:C:\Users\user\Desktop\01_extracted.exe
          File Type:data
          Category:dropped
          Size (bytes):1160
          Entropy (8bit):7.089541637477408
          Encrypted:false
          SSDEEP:24:IQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+K:IknjhUknjhUknjhUknjhUknjhL
          MD5:7BEBBE1F1511163A3243CD8E0C75CC69
          SHA1:216B3AB5D802FA037A6EC5348B189398D8980B3C
          SHA-256:79A130865E9EFFFAA6C2E453942CE87F652681BCD76AAF987318300CAF5E3778
          SHA-512:4DCCB32411DEF72C938022B8675DA50B2DC4CD2C051B1C0377F63D6AAC42FC3D128B0ED580FB88954AB04A9E9EC8D272EBCCF74EB3F136BEF41ADBB845A1A530
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Process:C:\Users\user\Desktop\01_extracted.exe
          File Type:data
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:c:c
          MD5:315CCD3669C58A3177FFB7D0189A1EEF
          SHA1:678EF06864D26881E2DB1B9511A32B56CF988F3A
          SHA-256:FFA8198F332474004817F0E82E3C209AF881FCDF52F51F30497A6AE6BFB37866
          SHA-512:D9FD615BE3D8AFEC18151D0CE055602C346F1525FD8ECBCA47B6D204FAC13DCD821B385B46DFC39CE5B3BDEFB23D7E75DB6F583505A31CC412F473B1C05E7E4E
          Malicious:true
          Reputation:low
          Preview: .)5.x.H

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.446133348432718
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          • Win32 Executable (generic) a (10002005/4) 49.78%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          File name:01_extracted.exe
          File size:207360
          MD5:59f356092b9f54b4ee5563a2fb8a3255
          SHA1:252ee78cd1597581b9dc14253a77526ef344af38
          SHA256:2206669cc770b99bfdcc44079e5f218a3b4161c7c973f652d6a497a58031bf1d
          SHA512:7043f238357ef4d13c4ebd4c21371173157332547ccf0777594fcdcc566f78f865850a28fabb43ee23f24b26bbf03ed3ee0ea03b299c1565313db623ccbfc128
          SSDEEP:6144:gLV6Bta6dtJmakIM5wq+HjVCuSj2OjrtJrIOXu:gLV6BtpmkNq+DVcH85
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. .....................................................................

          File Icon

          Icon Hash:00828e8e8686b000

          Static PE Info

          General

          Entrypoint:0x41e792
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          DLL Characteristics:
          Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
          TLS Callbacks:
          CLR (.Net) Version:v2.0.50727
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x15d90.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000x1c7980x1c800False0.594503837719data6.5980706265IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .reloc0x200000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
          .rsrc0x220000x15d900x15e00False0.999732142857data7.99777392121IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_RCDATA0x220580x15d38TIM image, (48492,12466)

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          09/15/21-00:27:02.076627UDP254DNS SPOOF query response with TTL of 1 min. and no authority53502008.8.8.8192.168.2.3
          09/15/21-00:27:02.354546TCP2025019ET TROJAN Possible NanoCore C2 60B497335500192.168.2.3194.147.140.14
          09/15/21-00:27:07.400195UDP254DNS SPOOF query response with TTL of 1 min. and no authority53512818.8.8.8192.168.2.3
          09/15/21-00:27:07.631437TCP2025019ET TROJAN Possible NanoCore C2 60B497345500192.168.2.3194.147.140.14
          09/15/21-00:27:12.383586UDP254DNS SPOOF query response with TTL of 1 min. and no authority53491998.8.8.8192.168.2.3
          09/15/21-00:27:12.611541TCP2025019ET TROJAN Possible NanoCore C2 60B497355500192.168.2.3194.147.140.14
          09/15/21-00:27:17.744080TCP2025019ET TROJAN Possible NanoCore C2 60B497365500192.168.2.3194.147.140.14
          09/15/21-00:27:23.140472TCP2025019ET TROJAN Possible NanoCore C2 60B497375500192.168.2.3194.147.140.14
          09/15/21-00:27:28.739254TCP2025019ET TROJAN Possible NanoCore C2 60B497445500192.168.2.3194.147.140.14
          09/15/21-00:27:34.478410TCP2025019ET TROJAN Possible NanoCore C2 60B497455500192.168.2.3194.147.140.14
          09/15/21-00:27:39.773403UDP254DNS SPOOF query response with TTL of 1 min. and no authority53651108.8.8.8192.168.2.3
          09/15/21-00:27:39.998463TCP2025019ET TROJAN Possible NanoCore C2 60B497465500192.168.2.3194.147.140.14
          09/15/21-00:27:45.423084TCP2025019ET TROJAN Possible NanoCore C2 60B497675500192.168.2.3194.147.140.14
          09/15/21-00:27:50.997919TCP2025019ET TROJAN Possible NanoCore C2 60B497735500192.168.2.3194.147.140.14
          09/15/21-00:27:56.021163TCP2025019ET TROJAN Possible NanoCore C2 60B497745500192.168.2.3194.147.140.14
          09/15/21-00:28:02.027049TCP2025019ET TROJAN Possible NanoCore C2 60B497775500192.168.2.3194.147.140.14
          09/15/21-00:28:07.677320UDP254DNS SPOOF query response with TTL of 1 min. and no authority53495638.8.8.8192.168.2.3
          09/15/21-00:28:08.684677TCP2025019ET TROJAN Possible NanoCore C2 60B497835500192.168.2.3194.147.140.14
          09/15/21-00:28:15.052658TCP2025019ET TROJAN Possible NanoCore C2 60B497865500192.168.2.3194.147.140.14
          09/15/21-00:28:21.468840TCP2025019ET TROJAN Possible NanoCore C2 60B497875500192.168.2.3194.147.140.14
          09/15/21-00:28:28.077642UDP254DNS SPOOF query response with TTL of 1 min. and no authority53570848.8.8.8192.168.2.3
          09/15/21-00:28:28.305043TCP2025019ET TROJAN Possible NanoCore C2 60B497885500192.168.2.3194.147.140.14
          09/15/21-00:28:35.011567UDP254DNS SPOOF query response with TTL of 1 min. and no authority53575688.8.8.8192.168.2.3
          09/15/21-00:28:35.239451TCP2025019ET TROJAN Possible NanoCore C2 60B497905500192.168.2.3194.147.140.14
          09/15/21-00:28:41.718002TCP2025019ET TROJAN Possible NanoCore C2 60B497955500192.168.2.3194.147.140.14
          09/15/21-00:28:48.005439UDP254DNS SPOOF query response with TTL of 1 min. and no authority53554358.8.8.8192.168.2.3
          09/15/21-00:28:48.231608TCP2025019ET TROJAN Possible NanoCore C2 60B497975500192.168.2.3194.147.140.14
          09/15/21-00:28:54.654295TCP2025019ET TROJAN Possible NanoCore C2 60B497985500192.168.2.3194.147.140.14
          09/15/21-00:29:00.711953UDP254DNS SPOOF query response with TTL of 1 min. and no authority53561328.8.8.8192.168.2.3
          09/15/21-00:29:00.938829TCP2025019ET TROJAN Possible NanoCore C2 60B497995500192.168.2.3194.147.140.14
          09/15/21-00:29:07.032341TCP2025019ET TROJAN Possible NanoCore C2 60B498005500192.168.2.3194.147.140.14

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Sep 15, 2021 00:27:02.087652922 CEST497335500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:02.312653065 CEST550049733194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:02.312792063 CEST497335500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:02.354546070 CEST497335500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:02.632098913 CEST550049733194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:02.632209063 CEST497335500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:02.835180044 CEST550049733194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:02.835506916 CEST497335500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:02.914844990 CEST550049733194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:02.915138006 CEST497335500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:03.021835089 CEST497335500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:03.059214115 CEST550049733194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:03.059271097 CEST497335500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:03.194070101 CEST550049733194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:03.194232941 CEST497335500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:07.404175043 CEST497345500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:07.630057096 CEST550049734194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:07.630222082 CEST497345500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:07.631437063 CEST497345500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:07.898245096 CEST550049734194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:07.898408890 CEST497345500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:08.021995068 CEST497345500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:08.166990995 CEST550049734194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:08.167257071 CEST497345500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:12.386518955 CEST497355500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:12.610210896 CEST550049735194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:12.610375881 CEST497355500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:12.611541033 CEST497355500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:12.897222996 CEST550049735194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:12.897310019 CEST497355500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:13.069019079 CEST550049735194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:13.069168091 CEST497355500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:13.179615021 CEST550049735194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:13.180906057 CEST497355500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:13.240910053 CEST497355500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:13.292944908 CEST550049735194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:13.294959068 CEST497355500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:13.460134983 CEST550049735194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:13.460298061 CEST497355500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:17.519107103 CEST497365500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:17.742636919 CEST550049736194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:17.742877960 CEST497365500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:17.744080067 CEST497365500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:18.022598028 CEST550049736194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:18.022763968 CEST497365500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:18.303188086 CEST550049736194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:18.303390026 CEST497365500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:18.306282997 CEST550049736194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:18.306436062 CEST497365500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:18.528666019 CEST550049736194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:18.528908968 CEST497365500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:18.584222078 CEST550049736194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:18.741544008 CEST497365500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:18.752623081 CEST550049736194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:18.752809048 CEST497365500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:22.913896084 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:23.137590885 CEST550049737194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:23.139857054 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:23.140471935 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:23.412609100 CEST550049737194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:23.413749933 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:23.696033001 CEST550049737194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:23.696188927 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:23.737236023 CEST550049737194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:23.737422943 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:23.960838079 CEST550049737194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:23.961071968 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:24.100568056 CEST550049737194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:24.100753069 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:24.240279913 CEST550049737194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:24.240411043 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:24.304337025 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:24.324481010 CEST550049737194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:24.324642897 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:24.521557093 CEST550049737194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:24.521682024 CEST497375500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:28.514481068 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:28.738651037 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:28.738778114 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:28.739253998 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:29.022232056 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:29.022490025 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:29.234245062 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:29.234370947 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:29.287017107 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:29.290369987 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:29.513585091 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:29.514445066 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:29.518325090 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:29.569633961 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:29.738221884 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:29.738471031 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:29.898152113 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:30.023263931 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:30.026415110 CEST497445500192.168.2.3194.147.140.14
          Sep 15, 2021 00:27:30.029808044 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:30.029836893 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:30.029861927 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:30.029885054 CEST550049744194.147.140.14192.168.2.3
          Sep 15, 2021 00:27:30.029921055 CEST497445500192.168.2.3194.147.140.14

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Sep 15, 2021 00:26:54.170667887 CEST6098553192.168.2.38.8.8.8
          Sep 15, 2021 00:26:54.207604885 CEST53609858.8.8.8192.168.2.3
          Sep 15, 2021 00:27:01.947751045 CEST5020053192.168.2.38.8.8.8
          Sep 15, 2021 00:27:02.076627016 CEST53502008.8.8.8192.168.2.3
          Sep 15, 2021 00:27:07.272417068 CEST5128153192.168.2.38.8.8.8
          Sep 15, 2021 00:27:07.400194883 CEST53512818.8.8.8192.168.2.3
          Sep 15, 2021 00:27:12.254900932 CEST4919953192.168.2.38.8.8.8
          Sep 15, 2021 00:27:12.383585930 CEST53491998.8.8.8192.168.2.3
          Sep 15, 2021 00:27:17.482837915 CEST5062053192.168.2.38.8.8.8
          Sep 15, 2021 00:27:17.516397953 CEST53506208.8.8.8192.168.2.3
          Sep 15, 2021 00:27:22.885296106 CEST6493853192.168.2.38.8.8.8
          Sep 15, 2021 00:27:22.912415028 CEST53649388.8.8.8192.168.2.3
          Sep 15, 2021 00:27:25.565556049 CEST6015253192.168.2.38.8.8.8
          Sep 15, 2021 00:27:25.609678984 CEST53601528.8.8.8192.168.2.3
          Sep 15, 2021 00:27:25.988378048 CEST5754453192.168.2.38.8.8.8
          Sep 15, 2021 00:27:26.024219036 CEST53575448.8.8.8192.168.2.3
          Sep 15, 2021 00:27:28.477812052 CEST5598453192.168.2.38.8.8.8
          Sep 15, 2021 00:27:28.513227940 CEST53559848.8.8.8192.168.2.3
          Sep 15, 2021 00:27:34.172791004 CEST6418553192.168.2.38.8.8.8
          Sep 15, 2021 00:27:34.251058102 CEST53641858.8.8.8192.168.2.3
          Sep 15, 2021 00:27:39.649972916 CEST6511053192.168.2.38.8.8.8
          Sep 15, 2021 00:27:39.773402929 CEST53651108.8.8.8192.168.2.3
          Sep 15, 2021 00:27:40.543015003 CEST5836153192.168.2.38.8.8.8
          Sep 15, 2021 00:27:40.586541891 CEST53583618.8.8.8192.168.2.3
          Sep 15, 2021 00:27:45.167210102 CEST6349253192.168.2.38.8.8.8
          Sep 15, 2021 00:27:45.197247028 CEST53634928.8.8.8192.168.2.3
          Sep 15, 2021 00:27:50.734563112 CEST6083153192.168.2.38.8.8.8
          Sep 15, 2021 00:27:50.770559072 CEST53608318.8.8.8192.168.2.3
          Sep 15, 2021 00:27:55.767343998 CEST6010053192.168.2.38.8.8.8
          Sep 15, 2021 00:27:55.794513941 CEST53601008.8.8.8192.168.2.3
          Sep 15, 2021 00:28:01.209887981 CEST5319553192.168.2.38.8.8.8
          Sep 15, 2021 00:28:01.254210949 CEST53531958.8.8.8192.168.2.3
          Sep 15, 2021 00:28:01.768517017 CEST5014153192.168.2.38.8.8.8
          Sep 15, 2021 00:28:01.800992966 CEST53501418.8.8.8192.168.2.3
          Sep 15, 2021 00:28:04.530802011 CEST5302353192.168.2.38.8.8.8
          Sep 15, 2021 00:28:04.567562103 CEST53530238.8.8.8192.168.2.3
          Sep 15, 2021 00:28:07.552164078 CEST4956353192.168.2.38.8.8.8
          Sep 15, 2021 00:28:07.677320004 CEST53495638.8.8.8192.168.2.3
          Sep 15, 2021 00:28:14.785747051 CEST5135253192.168.2.38.8.8.8
          Sep 15, 2021 00:28:14.822325945 CEST53513528.8.8.8192.168.2.3
          Sep 15, 2021 00:28:21.204571962 CEST5934953192.168.2.38.8.8.8
          Sep 15, 2021 00:28:21.239867926 CEST53593498.8.8.8192.168.2.3
          Sep 15, 2021 00:28:27.949857950 CEST5708453192.168.2.38.8.8.8
          Sep 15, 2021 00:28:28.077641964 CEST53570848.8.8.8192.168.2.3
          Sep 15, 2021 00:28:34.182403088 CEST5882353192.168.2.38.8.8.8
          Sep 15, 2021 00:28:34.260754108 CEST53588238.8.8.8192.168.2.3
          Sep 15, 2021 00:28:34.886750937 CEST5756853192.168.2.38.8.8.8
          Sep 15, 2021 00:28:35.011567116 CEST53575688.8.8.8192.168.2.3
          Sep 15, 2021 00:28:35.031457901 CEST5054053192.168.2.38.8.8.8
          Sep 15, 2021 00:28:35.067050934 CEST53505408.8.8.8192.168.2.3
          Sep 15, 2021 00:28:39.408174992 CEST5436653192.168.2.38.8.8.8
          Sep 15, 2021 00:28:39.448267937 CEST53543668.8.8.8192.168.2.3
          Sep 15, 2021 00:28:41.205141068 CEST5303453192.168.2.38.8.8.8
          Sep 15, 2021 00:28:41.248573065 CEST53530348.8.8.8192.168.2.3
          Sep 15, 2021 00:28:41.456763029 CEST5776253192.168.2.38.8.8.8
          Sep 15, 2021 00:28:41.491748095 CEST53577628.8.8.8192.168.2.3
          Sep 15, 2021 00:28:47.879156113 CEST5543553192.168.2.38.8.8.8
          Sep 15, 2021 00:28:48.005439043 CEST53554358.8.8.8192.168.2.3
          Sep 15, 2021 00:28:54.399796963 CEST5071353192.168.2.38.8.8.8
          Sep 15, 2021 00:28:54.427526951 CEST53507138.8.8.8192.168.2.3
          Sep 15, 2021 00:29:00.587172031 CEST5613253192.168.2.38.8.8.8
          Sep 15, 2021 00:29:00.711952925 CEST53561328.8.8.8192.168.2.3
          Sep 15, 2021 00:29:06.781688929 CEST5898753192.168.2.38.8.8.8
          Sep 15, 2021 00:29:06.808100939 CEST53589878.8.8.8192.168.2.3

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          Sep 15, 2021 00:27:01.947751045 CEST192.168.2.38.8.8.80x369fStandard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:27:07.272417068 CEST192.168.2.38.8.8.80x673Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:27:12.254900932 CEST192.168.2.38.8.8.80x55cfStandard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:27:17.482837915 CEST192.168.2.38.8.8.80x3be6Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:27:22.885296106 CEST192.168.2.38.8.8.80x18e9Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:27:28.477812052 CEST192.168.2.38.8.8.80xc3fbStandard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:27:34.172791004 CEST192.168.2.38.8.8.80xd60bStandard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:27:39.649972916 CEST192.168.2.38.8.8.80xd20Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:27:45.167210102 CEST192.168.2.38.8.8.80x7879Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:27:50.734563112 CEST192.168.2.38.8.8.80x7d4fStandard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:27:55.767343998 CEST192.168.2.38.8.8.80x7772Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:28:01.768517017 CEST192.168.2.38.8.8.80x5cc8Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:28:07.552164078 CEST192.168.2.38.8.8.80x12e5Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:28:14.785747051 CEST192.168.2.38.8.8.80xfdc0Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:28:21.204571962 CEST192.168.2.38.8.8.80x114aStandard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:28:27.949857950 CEST192.168.2.38.8.8.80xe839Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:28:34.886750937 CEST192.168.2.38.8.8.80x10c6Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:28:41.456763029 CEST192.168.2.38.8.8.80x3859Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:28:47.879156113 CEST192.168.2.38.8.8.80x36fbStandard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:28:54.399796963 CEST192.168.2.38.8.8.80xd1d0Standard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:29:00.587172031 CEST192.168.2.38.8.8.80x1acfStandard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)
          Sep 15, 2021 00:29:06.781688929 CEST192.168.2.38.8.8.80x4c4dStandard query (0)sunnysept.duckdns.orgA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          Sep 15, 2021 00:27:02.076627016 CEST8.8.8.8192.168.2.30x369fNo error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:27:07.400194883 CEST8.8.8.8192.168.2.30x673No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:27:12.383585930 CEST8.8.8.8192.168.2.30x55cfNo error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:27:17.516397953 CEST8.8.8.8192.168.2.30x3be6No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:27:22.912415028 CEST8.8.8.8192.168.2.30x18e9No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:27:28.513227940 CEST8.8.8.8192.168.2.30xc3fbNo error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:27:34.251058102 CEST8.8.8.8192.168.2.30xd60bNo error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:27:39.773402929 CEST8.8.8.8192.168.2.30xd20No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:27:45.197247028 CEST8.8.8.8192.168.2.30x7879No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:27:50.770559072 CEST8.8.8.8192.168.2.30x7d4fNo error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:27:55.794513941 CEST8.8.8.8192.168.2.30x7772No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:28:01.800992966 CEST8.8.8.8192.168.2.30x5cc8No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:28:07.677320004 CEST8.8.8.8192.168.2.30x12e5No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:28:14.822325945 CEST8.8.8.8192.168.2.30xfdc0No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:28:21.239867926 CEST8.8.8.8192.168.2.30x114aNo error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:28:28.077641964 CEST8.8.8.8192.168.2.30xe839No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:28:35.011567116 CEST8.8.8.8192.168.2.30x10c6No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:28:41.491748095 CEST8.8.8.8192.168.2.30x3859No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:28:48.005439043 CEST8.8.8.8192.168.2.30x36fbNo error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:28:54.427526951 CEST8.8.8.8192.168.2.30xd1d0No error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:29:00.711952925 CEST8.8.8.8192.168.2.30x1acfNo error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)
          Sep 15, 2021 00:29:06.808100939 CEST8.8.8.8192.168.2.30x4c4dNo error (0)sunnysept.duckdns.org194.147.140.14A (IP address)IN (0x0001)

          Code Manipulations

          Statistics

          System Behavior

          General

          Start time:00:26:59
          Start date:15/09/2021
          Path:C:\Users\user\Desktop\01_extracted.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\01_extracted.exe'
          Imagebase:0x260000
          File size:207360 bytes
          MD5 hash:59F356092B9F54B4EE5563A2FB8A3255
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.210003414.0000000000262000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Disassembly

          Code Analysis

          Reset < >