Loading ...

Play interactive tourEdit tour

Windows Analysis Report NGhyIeBff1.exe

Overview

General Information

Sample Name:NGhyIeBff1.exe
Analysis ID:500302
MD5:9333b848ec502f882c35f7d865aec7d6
SHA1:c56c21e6918f2efd0050552ac8fb831c8ed6da3a
SHA256:e564c250cd0780ed1870506da94c0cb34240c41f361a9bee13db815e4e58b266
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Protects its processes via BreakOnTermination flag
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • NGhyIeBff1.exe (PID: 2940 cmdline: 'C:\Users\user\Desktop\NGhyIeBff1.exe' MD5: 9333B848EC502F882C35F7D865AEC7D6)
    • schtasks.exe (PID: 2848 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DAC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5160 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4260.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NGhyIeBff1.exe (PID: 6120 cmdline: C:\Users\user\Desktop\NGhyIeBff1.exe 0 MD5: 9333B848EC502F882C35F7D865AEC7D6)
  • dhcpmon.exe (PID: 5108 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 9333B848EC502F882C35F7D865AEC7D6)
  • dhcpmon.exe (PID: 6188 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 9333B848EC502F882C35F7D865AEC7D6)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "4446a45b-bad8-4335-9f6c-9bedde63", "Group": "Default", "Domain1": "192.168.2.23", "Domain2": "", "Port": 25565, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "f4ff9f00", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
NGhyIeBff1.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
NGhyIeBff1.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
NGhyIeBff1.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    NGhyIeBff1.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000005.00000000.251774850.0000000000BA2000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000005.00000000.251774850.0000000000BA2000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000005.00000000.251774850.0000000000BA2000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        00000009.00000002.282233656.0000000003CE1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          00000009.00000002.282233656.0000000003CE1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0x49b4d:$a: NanoCore
          • 0x49ba6:$a: NanoCore
          • 0x49be3:$a: NanoCore
          • 0x49c5c:$a: NanoCore
          • 0x5d307:$a: NanoCore
          • 0x5d31c:$a: NanoCore
          • 0x5d351:$a: NanoCore
          • 0x76373:$a: NanoCore
          • 0x76388:$a: NanoCore
          • 0x763bd:$a: NanoCore
          • 0x49baf:$b: ClientPlugin
          • 0x49bec:$b: ClientPlugin
          • 0x4a4ea:$b: ClientPlugin
          • 0x4a4f7:$b: ClientPlugin
          • 0x5d0c3:$b: ClientPlugin
          • 0x5d0de:$b: ClientPlugin
          • 0x5d10e:$b: ClientPlugin
          • 0x5d325:$b: ClientPlugin
          • 0x5d35a:$b: ClientPlugin
          • 0x7612f:$b: ClientPlugin
          • 0x7614a:$b: ClientPlugin
          Click to see the 46 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.NGhyIeBff1.exe.4a30000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe75:$x1: NanoCore.ClientPluginHost
          • 0xe8f:$x2: IClientNetworkHost
          0.2.NGhyIeBff1.exe.4a30000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe75:$x2: NanoCore.ClientPluginHost
          • 0x1261:$s3: PipeExists
          • 0x1136:$s4: PipeCreated
          • 0xeb0:$s5: IClientLoggingHost
          9.2.dhcpmon.exe.3d2eba4.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xd9ad:$x1: NanoCore.ClientPluginHost
          • 0xd9da:$x2: IClientNetworkHost
          9.2.dhcpmon.exe.3d2eba4.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xd9ad:$x2: NanoCore.ClientPluginHost
          • 0xea88:$s4: PipeCreated
          • 0xd9c7:$s5: IClientLoggingHost
          9.2.dhcpmon.exe.3d2eba4.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            Click to see the 98 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NGhyIeBff1.exe, ProcessId: 2940, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NGhyIeBff1.exe, ProcessId: 2940, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NGhyIeBff1.exe, ProcessId: 2940, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NGhyIeBff1.exe, ProcessId: 2940, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000009.00000002.282233656.0000000003CE1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4446a45b-bad8-4335-9f6c-9bedde63", "Group": "Default", "Domain1": "192.168.2.23", "Domain2": "", "Port": 25565, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "f4ff9f00", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: NGhyIeBff1.exeVirustotal: Detection: 82%Perma Link
            Source: NGhyIeBff1.exeReversingLabs: Detection: 97%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: NGhyIeBff1.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 82%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 97%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: NGhyIeBff1.exe, type: SAMPLE
            Source: Yara matchFile source: 9.2.dhcpmon.exe.3d2eba4.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.a40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.NGhyIeBff1.exe.41aeba4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.5454629.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.dhcpmon.exe.3d2eba4.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.43c9d6e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.43d31cd.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.dhcpmon.exe.3d29d6e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.NGhyIeBff1.exe.41aeba4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.37231cd.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.NGhyIeBff1.exe.20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.NGhyIeBff1.exe.41b31cd.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.5450000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.3719d6e.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.43ceba4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.NGhyIeBff1.exe.ba0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.371eba4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.5450000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.NGhyIeBff1.exe.ba0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.43ceba4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.371eba4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.NGhyIeBff1.exe.41a9d6e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.dhcpmon.exe.670000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.dhcpmon.exe.a40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.dhcpmon.exe.670000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.dhcpmon.exe.3d331cd.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000000.251774850.0000000000BA2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.282233656.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.266825203.0000000003161000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.242517446.0000000000022000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.266419908.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.266907129.0000000004161000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.264110850.0000000000672000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.508409094.0000000000022000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.513452916.0000000003717000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.514797312.0000000005450000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.267348115.0000000003381000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.280944264.0000000000672000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.265860531.0000000000BA2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.281760860.0000000002CE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.252639821.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.267443760.0000000004381000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NGhyIeBff1.exe PID: 2940, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: NGhyIeBff1.exe PID: 6120, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5108, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6188, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Machine Learning detection for sampleShow sources
            Source: NGhyIeBff1.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Source: 0.2.NGhyIeBff1.exe.20000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 6.2.dhcpmon.exe.a40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 0.0.NGhyIeBff1.exe.20000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 5.0.NGhyIeBff1.exe.ba0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 0.2.NGhyIeBff1.exe.5450000.7.unpackAvira: Label: TR/NanoCore.fadte
            Source: 5.2.NGhyIeBff1.exe.ba0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 6.0.dhcpmon.exe.a40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 9.0.dhcpmon.exe.670000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 9.2.dhcpmon.exe.670000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: NGhyIeBff1.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: C:\Users\user\Desktop\NGhyIeBff1.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: NGhyIeBff1.exe, 00000000.00000002.511807781.0000000002355000.00000004.00000040.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs:
            Source: Malware configuration extractorURLs: 192.168.2.23
            Source: NGhyIeBff1.exe, 00000000.00000002.509781700.000000000077A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: NGhyIeBff1.exe, 00000000.00000002.513452916.0000000003717000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: NGhyIeBff1.exe, type: SAMPLE
            Source: Yara matchFile source: 9.2.dhcpmon.exe.3d2eba4.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.a40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.NGhyIeBff1.exe.41aeba4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.5454629.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.dhcpmon.exe.3d2eba4.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.43c9d6e.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.43d31cd.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.dhcpmon.exe.3d29d6e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.NGhyIeBff1.exe.41aeba4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.37231cd.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.NGhyIeBff1.exe.20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.NGhyIeBff1.exe.41b31cd.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.5450000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.3719d6e.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.43ceba4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.NGhyIeBff1.exe.ba0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.371eba4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.5450000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.NGhyIeBff1.exe.ba0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.43ceba4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.NGhyIeBff1.exe.371eba4.3.raw.unpack, type: UNPACKEDPE