Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shaheed CV.exe

Overview

General Information

Sample Name:Shaheed CV.exe
Analysis ID:713264
MD5:bea958c83d0aa73cdf2c72485c4d2fe8
SHA1:ffc8e9e84a7b7cb625bfebd041ce39ec0f20c573
SHA256:3507dd4118b87dcecb315684892df75af68bcfa1860a10f17309a76fecc45fda
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • Shaheed CV.exe (PID: 4896 cmdline: "C:\Users\user\Desktop\Shaheed CV.exe" MD5: BEA958C83D0AA73CDF2C72485C4D2FE8)
    • Shaheed CV.exe (PID: 4408 cmdline: {path} MD5: BEA958C83D0AA73CDF2C72485C4D2FE8)
      • schtasks.exe (PID: 5248 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp622.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1372 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA49.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Shaheed CV.exe (PID: 5432 cmdline: "C:\Users\user\Desktop\Shaheed CV.exe" 0 MD5: BEA958C83D0AA73CDF2C72485C4D2FE8)
    • Shaheed CV.exe (PID: 3888 cmdline: {path} MD5: BEA958C83D0AA73CDF2C72485C4D2FE8)
  • dhcpmon.exe (PID: 5336 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: BEA958C83D0AA73CDF2C72485C4D2FE8)
    • dhcpmon.exe (PID: 3192 cmdline: {path} MD5: BEA958C83D0AA73CDF2C72485C4D2FE8)
  • dhcpmon.exe (PID: 4884 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: BEA958C83D0AA73CDF2C72485C4D2FE8)
    • dhcpmon.exe (PID: 4928 cmdline: {path} MD5: BEA958C83D0AA73CDF2C72485C4D2FE8)
    • dhcpmon.exe (PID: 2232 cmdline: {path} MD5: BEA958C83D0AA73CDF2C72485C4D2FE8)
  • cleanup
{"Version": "1.2.2.0", "Mutex": "99bdd317-26d2-4098-abcb-4bff156f", "Group": "Default", "Domain1": "xp230522.ddns.net", "Domain2": "xp230522.ddns.net", "Port": 1996, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}
SourceRuleDescriptionAuthorStrings
00000012.00000002.403654416.000000000400E000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
  • 0x1d91:$a1: NanoCore.ClientPluginHost
  • 0x1d5c:$a2: NanoCore.ClientPlugin
  • 0x1dab:$b9: IClientLoggingHost
00000001.00000002.540864195.00000000070F0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b99:$x1: NanoCore.ClientPluginHost
  • 0x5bb3:$x2: IClientNetworkHost
00000001.00000002.540864195.00000000070F0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b99:$x2: NanoCore.ClientPluginHost
  • 0x6bce:$s4: PipeCreated
  • 0x5b86:$s5: IClientLoggingHost
00000001.00000002.540864195.00000000070F0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
  • 0x5b70:$x2: NanoCore.ClientPlugin
  • 0x5b99:$x3: NanoCore.ClientPluginHost
  • 0x5b61:$i3: IClientNetwork
  • 0x5b86:$i6: IClientLoggingHost
  • 0x5bb3:$i7: IClientNetworkHost
  • 0x59d4:$s1: ClientPlugin
  • 0x5b79:$s1: ClientPlugin
  • 0x5e84:$s2: EndPoint
  • 0x5e8d:$s3: IPAddress
  • 0x5e97:$s4: IPEndPoint
00000001.00000002.540864195.00000000070F0000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
  • 0x5b99:$a1: NanoCore.ClientPluginHost
  • 0x5b70:$a2: NanoCore.ClientPlugin
  • 0x5b86:$b9: IClientLoggingHost