Loading ...

Play interactive tourEdit tour

Windows Analysis Report Peixoto - QUOTATION LIST.exe

Overview

General Information

Sample Name:Peixoto - QUOTATION LIST.exe
Analysis ID:499570
MD5:0f129aa97048f7ec0557b211349a2ce0
SHA1:b597185c94fac60cd7e25db83bfb39ed07409289
SHA256:fcf3b27fdc54c53a1f7510abf8bdf748bd3199813d0294738feba29c7c1054d1
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores files to the Windows start menu directory
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Peixoto - QUOTATION LIST.exe (PID: 5460 cmdline: 'C:\Users\user\Desktop\Peixoto - QUOTATION LIST.exe' MD5: 0F129AA97048F7EC0557B211349A2CE0)
    • Peixoto - QUOTATION LIST.exe (PID: 6572 cmdline: C:\Users\user\AppData\Local\Temp\Peixoto - QUOTATION LIST.exe MD5: 0F129AA97048F7EC0557B211349A2CE0)
    • Peixoto - QUOTATION LIST.exe (PID: 6584 cmdline: C:\Users\user\AppData\Local\Temp\Peixoto - QUOTATION LIST.exe MD5: 0F129AA97048F7EC0557B211349A2CE0)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "28a7a9fa-8b88-4ff1-be22-9ecea4e9", "Group": "T-C", "Domain1": "185.222.57.149", "Domain2": "127.0.0.1", "Port": 4557, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.507935886.0000000007200000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x59eb:$x1: NanoCore.ClientPluginHost
  • 0x5b48:$x2: IClientNetworkHost
00000010.00000002.507935886.0000000007200000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x59eb:$x2: NanoCore.ClientPluginHost
  • 0x6941:$s3: PipeExists
  • 0x5be1:$s4: PipeCreated
  • 0x5a05:$s5: IClientLoggingHost
00000000.00000002.331468267.000000000352B000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x37de5:$x1: NanoCore.ClientPluginHost
  • 0x5fe05:$x1: NanoCore.ClientPluginHost
  • 0x37e22:$x2: IClientNetworkHost
  • 0x5fe42:$x2: IClientNetworkHost
  • 0x3b955:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x63975:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.331468267.000000000352B000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.331468267.000000000352B000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x37b4d:$a: NanoCore
    • 0x37b5d:$a: NanoCore
    • 0x37d91:$a: NanoCore
    • 0x37da5:$a: NanoCore
    • 0x37de5:$a: NanoCore
    • 0x5fb6d:$a: NanoCore
    • 0x5fb7d:$a: NanoCore
    • 0x5fdb1:$a: NanoCore
    • 0x5fdc5:$a: NanoCore
    • 0x5fe05:$a: NanoCore
    • 0x37bac:$b: ClientPlugin
    • 0x37dae:$b: ClientPlugin
    • 0x37dee:$b: ClientPlugin
    • 0x5fbcc:$b: ClientPlugin
    • 0x5fdce:$b: ClientPlugin
    • 0x5fe0e:$b: ClientPlugin
    • 0x37cd3:$c: ProjectData
    • 0x5fcf3:$c: ProjectData
    • 0x386da:$d: DESCrypto
    • 0x606fa:$d: DESCrypto
    • 0x400a6:$e: KeepAlive
    Click to see the 49 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    16.2.Peixoto - QUOTATION LIST.exe.71e0000.23.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x605:$x1: NanoCore.ClientPluginHost
    • 0x63e:$x2: IClientNetworkHost
    16.2.Peixoto - QUOTATION LIST.exe.71e0000.23.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x605:$x2: NanoCore.ClientPluginHost
    • 0x720:$s4: PipeCreated
    • 0x61f:$s5: IClientLoggingHost
    16.2.Peixoto - QUOTATION LIST.exe.71e0000.23.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2205:$x1: NanoCore.ClientPluginHost
    • 0x223e:$x2: IClientNetworkHost
    16.2.Peixoto - QUOTATION LIST.exe.71e0000.23.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2205:$x2: NanoCore.ClientPluginHost
    • 0x2320:$s4: PipeCreated
    • 0x221f:$s5: IClientLoggingHost
    16.2.Peixoto - QUOTATION LIST.exe.7180000.20.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x6da5:$x1: NanoCore.ClientPluginHost
    • 0x6dd2:$x2: IClientNetworkHost
    Click to see the 135 entries

    Sigma Overview

    AV Detection:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Peixoto - QUOTATION LIST.exe, ProcessId: 6584, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Peixoto - QUOTATION LIST.exe, ProcessId: 6584, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Stealing of Sensitive Information:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Peixoto - QUOTATION LIST.exe, ProcessId: 6584, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Peixoto - QUOTATION LIST.exe, ProcessId: 6584, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000010.00000002.505140332.0000000004437000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "28a7a9fa-8b88-4ff1-be22-9ecea4e9", "Group": "T-C", "Domain1": "185.222.57.149", "Domain2": "127.0.0.1", "Port": 4557, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Peixoto - QUOTATION LIST.exeVirustotal: Detection: 25%Perma Link
    Multi AV Scanner detection for domain / URLShow sources
    Source: 185.222.57.149Virustotal: Detection: 5%Perma Link
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\Peixoto - QUOTATION LIST.exeVirustotal: Detection: 25%Perma Link
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zhrtgdis.exeVirustotal: Detection: 25%Perma Link
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 16.2.Peixoto - QUOTATION LIST.exe.6660000.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 16.2.Peixoto - QUOTATION LIST.exe.6664629.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Peixoto - QUOTATION LIST.exe.357ac78.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 16.2.Peixoto - QUOTATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 16.2.Peixoto - QUOTATION LIST.exe.6660000.17.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 16.2.Peixoto - QUOTATION LIST.exe.444d049.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 16.2.Peixoto - QUOTATION LIST.exe.4448a20.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Peixoto - QUOTATION LIST.exe.357ac78.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Peixoto - QUOTATION LIST.exe.37306f0.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Peixoto - QUOTATION LIST.exe.37306f0.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 16.2.Peixoto - QUOTATION LIST.exe.4448a20.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Peixoto - QUOTATION LIST.exe.3552c58.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Peixoto - QUOTATION LIST.exe.3552c58.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.331468267.000000000352B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.331768876.00000000035CA000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.332453140.00000000036CA000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000010.00000002.505140332.0000000004437000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000010.00000002.497755666.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000010.00000002.507029930.0000000006660000.00000004.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000010.00000002.502657660.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Peixoto - QUOTATION LIST.exe PID: 5460, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Peixoto - QUOTATION LIST.exe PID: 6584, type: MEMORYSTR
    Machine Learning detection for sampleShow sources
    Source: Peixoto - QUOTATION LIST.exeJoe Sandbox ML: detected
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\Peixoto - QUOTATION LIST.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zhrtgdis.exeJoe Sandbox ML: detected
    Source: 16.2.Peixoto - QUOTATION LIST.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 16.2.Peixoto - QUOTATION LIST.exe.6660000.17.unpackAvira: Label: TR/NanoCore.fadte
    Source: 16.2.Peixoto - QUOTATION LIST.exe.4448a20.8.unpackAvira: Label: TR/NanoCore.fadte
    Source: Peixoto - QUOTATION LIST.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE