Loading ...

Play interactive tourEdit tour

Windows Analysis Report ameHrrFwNp.exe

Overview

General Information

Sample Name:ameHrrFwNp.exe
Analysis ID:501919
MD5:1f221e6e2a07d553e3fcf5bdb5874b2e
SHA1:0cd7541409f63dda3781d18c61bdcd74782192e6
SHA256:2d2f62269797be7ef763ac2da37e4c190381cfba8798e92e73ee9aa2084386f1
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Creates multiple autostart registry keys
Connects to many ports of the same IP (likely port scanning)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
File is packed with WinRar
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • ameHrrFwNp.exe (PID: 5216 cmdline: 'C:\Users\user\Desktop\ameHrrFwNp.exe' MD5: 1F221E6E2A07D553E3FCF5BDB5874B2E)
    • bspmflqee.pif (PID: 3836 cmdline: 'C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif' ewdsxu.ije MD5: 8E699954F6B5D64683412CC560938507)
      • RegSvcs.exe (PID: 4644 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • schtasks.exe (PID: 6764 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8F04.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 2352 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp94A3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 2148 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • bspmflqee.pif (PID: 1048 cmdline: 'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije MD5: 8E699954F6B5D64683412CC560938507)
    • RegSvcs.exe (PID: 3560 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 5076 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wscript.exe (PID: 7032 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • dhcpmon.exe (PID: 1504 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 1376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • bspmflqee.pif (PID: 3032 cmdline: 'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije MD5: 8E699954F6B5D64683412CC560938507)
    • RegSvcs.exe (PID: 5572 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 6664 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • bspmflqee.pif (PID: 4732 cmdline: 'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije MD5: 8E699954F6B5D64683412CC560938507)
    • RegSvcs.exe (PID: 6540 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 5104 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf1e5:$x1: NanoCore.ClientPluginHost
  • 0xf222:$x2: IClientNetworkHost
  • 0x12d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xef4d:$a: NanoCore
    • 0xef5d:$a: NanoCore
    • 0xf191:$a: NanoCore
    • 0xf1a5:$a: NanoCore
    • 0xf1e5:$a: NanoCore
    • 0xefac:$b: ClientPlugin
    • 0xf1ae:$b: ClientPlugin
    • 0xf1ee:$b: ClientPlugin
    • 0xf0d3:$c: ProjectData
    • 0xfada:$d: DESCrypto
    • 0x174a6:$e: KeepAlive
    • 0x15494:$g: LogClientMessage
    • 0x1168f:$i: get_Connected
    • 0xfe10:$j: #=q
    • 0xfe40:$j: #=q
    • 0xfe5c:$j: #=q
    • 0xfe8c:$j: #=q
    • 0xfea8:$j: #=q
    • 0xfec4:$j: #=q
    • 0xfef4:$j: #=q
    • 0xff10:$j: #=q
    0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf9ed:$x1: NanoCore.ClientPluginHost
    • 0xfa2a:$x2: IClientNetworkHost
    • 0x1355d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security