Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.908482488052613
Filename:	Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Filesize:	555520
MD5:	717fc8318eb370b1e8ae630af9fe431d
SHA1:	842ee97ed218857603188de6831afcc9919addd6
SHA256:	6035a6b2488b6c073d4b1cda9c9879e207b73e94c3551624667e59cc8719dd01
SHA512:	bcfcf0b516ada1d2d1eb7c4e50b99b060bfa1f3fa7e14e36541fb1106242afc2c6ea2921dc11992d0c5c00fc66cbe7600cd07d64f94cbaebc52e70d1a0c091f0
SSDEEP:	12288:Pp/rlgHiwwUkLzPOca+3Jr/m/O4EBSMF5puoyOkWKZWhJlQ:5p8ErNt/Wcu+kWtHlQ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}b..............0..p............... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Detected Nanocore Rat	Remote Access Functionality	Remote Access Software
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Yara signature match	System Summary
Antivirus or Machine Learning detection for unpacked file	AV Detection
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Creates processes with suspicious names	Persistence and Installation Behavior
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Uses an in-process (OLE) Automation server	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Creates mutexes	System Summary
URLs found in memory or binary data	Networking
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.log
Category:	dropped
Dump:	Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.345811588615766
Encrypted:	false
Ssdeep:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
Size:	1308
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Non-ISO extended-ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
Category:	dropped
Dump:	run.dat.5.dr
ID:	dr_1
Target ID:	5
Process:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Type:	Non-ISO extended-ASCII text, with no line terminators
Entropy:	3.0
Encrypted:	false
Ssdeep:	3:LNln:LNl
Size:	8
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: NanoCore	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
Category:	dropped
Dump:	catalog.dat.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Type:	data
Entropy:	7.024371743172393
Encrypted:	false
Ssdeep:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
Size:	232
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
Category:	dropped
Dump:	settings.bin.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Type:	data
Entropy:	5.153055907333276
Encrypted:	false
Ssdeep:	3:9bzY6oRDT6P2bfVn1:RzWDT621
Size:	40
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
Category:	dropped
Dump:	storage.dat.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Type:	data
Entropy:	7.99938831605763
Encrypted:	true
Ssdeep:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
Size:	327432
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe

"C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe"

Details

Is windows:	false
Is dropped:	false
PID:	6316
Target ID:	0
Parent PID:	1432
Name:	Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Path:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Commandline:	"C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe"
Size:	555520
MD5:	717FC8318EB370B1E8AE630AF9FE431D
Time:	08:07:13
Date:	13/05/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa10000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: NanoCore	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Nanocore RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe

Details

Is windows:	false
Is dropped:	false
PID:	6632
Target ID:	4
Parent PID:	6316
Name:	Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Path:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Commandline:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Size:	555520
MD5:	717FC8318EB370B1E8AE630AF9FE431D
Time:	08:07:26
Date:	13/05/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x50000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: NanoCore	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Nanocore RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe

Details

Is windows:	false
Is dropped:	false
PID:	6648
Target ID:	5
Parent PID:	6316
Name:	Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Path:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Commandline:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Size:	555520
MD5:	717FC8318EB370B1E8AE630AF9FE431D
Time:	08:07:28
Date:	13/05/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xec0000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: NanoCore	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Nanocore RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

deranano2.ddns.net

http://www.fontbureau.com/designersG

unknown

http://www.sajatypeworks.comiv;b

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://www.fontbureau.com/designers?

unknown

http://www.fontbureau.com/designersB

unknown

http://www.founder.com.cn/cn?

unknown

http://www.sajatypeworks.com=

unknown

http://www.tiro.com

unknown

http://www.fontbureau.comdko

unknown

http://www.fontbureau.com/designers

unknown

http://www.founder.com.cn/cn=

unknown

http://www.goodfont.co.kr

unknown

http://www.jiyu-kobo.co.jp/jp/;N

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.jiyu-kobo.co.jp/&N

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://fontfabrik.com

unknown

http://www.fontbureau.comgrita

unknown

http://www.galapagosdesign.com/n

unknown

http://www.jiyu-kobo.co.jp/CN

unknown

http://www.fontbureau.comessedqN

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.fontbureau.comasva0N

unknown

http://www.zhongyicts.com.cn

unknown

http://www.fontbureau.comoJN

unknown

http://www.sajatypeworks.come

unknown

http://www.sakkal.com

unknown

http://www.jiyu-kobo.co.jp/qN

unknown

http://www.fontbureau.comalsd

unknown

http://www.jiyu-kobo.co.jp/gN

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.jiyu-kobo.co.jp/)N

unknown

http://www.fontbureau.comF

unknown

http://www.fontbureau.comnN7

unknown

http://www.sajatypeworks.comt

unknown

http://www.jiyu-kobo.co.jp/jp/

unknown

http://en.w

unknown

http://www.carterandcone.coml

unknown

http://www.fontbureau.comFgN

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-jones.html

unknown

http://www.jiyu-kobo.co.jp/nN7

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://www.fontbureau.como

unknown

http://www.fontbureau.com/designers8

unknown

http://www.jiyu-kobo.co.jp/JN

unknown

There are 46 hidden URLs, click here to show them.

Domains

Name

Malicious

deranano2.ddns.net

212.193.30.204

Details

Name:	deranano2.ddns.net
IP:	212.193.30.204
TargetID:	5
Current Path:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

212.193.30.204

deranano2.ddns.net

Russian Federation

Details

IP:	212.193.30.204
TargetID:	5
Current Path:	C:\Users\user\Desktop\Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	57844
ASN name:	SPD-NETTR
Private:	false
Domain:	deranano2.ddns.net

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

192.168.2.1

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

Details

Name:	00000005.00000000.283132677.0000000000402000.00000040.00000400.00020000.00000000.sdmp
TargetID:	5
Dumpstage:	process new
Regiontype:	remote allocation
Protect:	page execute and read and write
Base address:	402000
Size:	118784

Signature Hits	Behavior Group	Mitre Attack
Detected Nanocore Rat	Remote Access Functionality	Remote Access Software
Malicious sample detected (through community Yara rule)	System Summary
Yara detected Nanocore RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara signature match	System Summary

2E71000

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportCircular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exe