Edit tour
Windows
Analysis Report
attached PI.exe
Overview
General Information
| Sample Name: | attached PI.exe |
| Analysis ID: | 711673 |
| MD5: | 238b41e834f3b663584d4788493bc75f |
| SHA1: | 006efa65c3a4c5b4ee2402ab5e6d789fc95e0b9c |
| SHA256: | e0b3c7281dd3488df3c71ee35dde8fe321e5aae4d3f200d2f63dfef64a97daff |
| Infos: |   |
 | |
Detection
Nanocore
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
attached PI.exe (PID: 1604 cmdline: "C:\Users\ user\Deskt op\attache d PI.exe" MD5: 238B41E834F3B663584D4788493BC75F) 
schtasks.exe (PID: 3836 cmdline: C:\Windows \System32\ schtasks.e xe" /Creat e /TN "Upd ates\ecCUX mnB" /XML "C:\Users\ user\AppDa ta\Local\T emp\tmpE76 0.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) 
conhost.exe (PID: 6068 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - attached PI.exe (PID: 3092 cmdline:
{path} MD5: 238B41E834F3B663584D4788493BC75F) - attached PI.exe (PID: 4748 cmdline:
{path} MD5: 238B41E834F3B663584D4788493BC75F) - schtasks.exe (PID: 4648 cmdline:
schtasks.e xe" /creat e /f /tn " DHCP Monit or" /xml " C:\Users\u ser\AppDat a\Local\Te mp\tmpD63A .tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 2904 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5328 cmdline:
schtasks.e xe" /creat e /f /tn " DHCP Monit or Task" / xml "C:\Us ers\user\A ppData\Loc al\Temp\tm pD9B5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 5360 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- attached PI.exe (PID: 5344 cmdline:
"C:\Users\ user\Deskt op\attache d PI.exe" 0 MD5: 238B41E834F3B663584D4788493BC75F) - schtasks.exe (PID: 5072 cmdline:
C:\Windows \System32\ schtasks.e xe" /Creat e /TN "Upd ates\ecCUX mnB" /XML "C:\Users\ user\AppDa ta\Local\T emp\tmp618 1.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 1236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - attached PI.exe (PID: 5216 cmdline:
{path} MD5: 238B41E834F3B663584D4788493BC75F) - attached PI.exe (PID: 2192 cmdline:
{path} MD5: 238B41E834F3B663584D4788493BC75F)
- dhcpmon.exe (PID: 4596 cmdline:
"C:\Progra m Files (x 86)\DHCP M onitor\dhc pmon.exe" 0 MD5: 238B41E834F3B663584D4788493BC75F) - schtasks.exe (PID: 6132 cmdline:
C:\Windows \System32\ schtasks.e xe" /Creat e /TN "Upd ates\ecCUX mnB" /XML "C:\Users\ user\AppDa ta\Local\T emp\tmp6CE B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 5356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - dhcpmon.exe (PID: 4460 cmdline:
{path} MD5: 238B41E834F3B663584D4788493BC75F)
- dhcpmon.exe (PID: 4812 cmdline:
"C:\Progra m Files (x 86)\DHCP M onitor\dhc pmon.exe" MD5: 238B41E834F3B663584D4788493BC75F) - schtasks.exe (PID: 5920 cmdline:
C:\Windows \System32\ schtasks.e xe" /Creat e /TN "Upd ates\ecCUX mnB" /XML "C:\Users\ user\AppDa ta\Local\T emp\tmp8C8 9.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 5184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - dhcpmon.exe (PID: 2620 cmdline:
{path} MD5: 238B41E834F3B663584D4788493BC75F)
- cleanup
{"Version": "1.2.2.0", "Mutex": "fba1bbc6-2cc8-4c94-b6c0-dda5a12f", "Group": "Default", "Domain1": "brightnano1.ddns.net", "Domain2": "", "Port": 1989, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
| Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Florian Roth |
| |
| MALWARE_Win_NanoCore | Detects NanoCore | ditekSHen |
| |
| Windows_Trojan_Nanocore_d8c4e3c5 | unknown | unknown |
| |
| Windows_Trojan_Nanocore_d8c4e3c5 | unknown | unknown |
|