Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1682
- * MalFamily: "Nanocore"
- * MalScore: 10.0
- * File Name: "NanoCore_fb229b03784ad63ca1a7cc6191364158.exe"
- * File Size: 507904
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "f54f5002fa901362b43715d5f581b984621bee92a1ce11f86b91aa8656c0f56d"
- * MD5: "fb229b03784ad63ca1a7cc6191364158"
- * SHA1: "151672d769dc811fe30b7ea68a80f9233eb2bf5a"
- * SHA512: "27ab7abeb98327cb743e6fe62a0c5dd8b360c4b8aafa3c6838986c02ada30e38e3511ea5b093ddf165dbac060e1e8ba646cbcb86c04e9b3fdce9906fdf1802b6"
- * CRC32: "60F3A159"
- * SSDEEP: "12288:xtV8DgLybOGNyOArVD36fDlPqIwo3Zg8:xtVV+bOGEOI3WDlPqeZg8"
- * Process Execution:
- "whbhv.exe",
- "whbhv.exe",
- "schtasks.exe",
- "schtasks.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\whbhv.exe\"",
- "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6206.tmp\"",
- "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CF4.tmp\""
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP_ioc": "79.134.225.74:2177 (Switzerland)"
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "whbhv.exe, PID 2220"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "whbhv.exe tried to sleep 1032 seconds, actually delayed analysis time by 0 seconds"
- "Process": "svchost.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details":
- "ioc": "v2.0.50727"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "whbhv.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6206.tmp\""
- "Process": "whbhv.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CF4.tmp\""
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .text, entropy: 7.11, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00079000, virtual_size: 0x00078bf0"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6206.tmp\""
- "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CF4.tmp\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "whbhv.exe(2220) -> whbhv.exe(2988)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "whbhv.exe(2220) -> whbhv.exe(2988)"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\whbhv.exe:Zone.Identifier"
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
- "data": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
- "Description": "Exhibits behavior characteristic of Nanocore RAT",
- "Details":
- "Description": "File has been identified by 16 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.fb229b03784ad63c"
- "Cylance": "Unsafe"
- "Cybereason": "malicious.769dc8"
- "Invincea": "heuristic"
- "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.gc"
- "Trapmine": "malicious.high.ml.score"
- "SentinelOne": "DFI - Suspicious PE"
- "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "Endgame": "malicious (high confidence)"
- "Acronis": "suspicious"
- "McAfee": "Fareit-FPW!FB229B03784A"
- "CrowdStrike": "win/malicious_confidence_70% (D)"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
- "Description": "Collects information to fingerprint the system",
- "Details":
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\57ac23a9-49e6-40ed-b469-3425e518602c",
- "Global\\.net clr networking"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
- "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6206.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\task.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CF4.tmp",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
- * Deleted Files:
- "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6206.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CF4.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\whbhv.exe:Zone.Identifier",
- "C:\\Windows\\Tasks\\DSL Subsystem.job",
- "C:\\Windows\\Tasks\\DSL Subsystem Task.job",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\3F840E57-A70C-4327-8D4C-6299DE36D6F0\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\3F840E57-A70C-4327-8D4C-6299DE36D6F0\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\3F840E57-A70C-4327-8D4C-6299DE36D6F0\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem Task\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem Task\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Triggers"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job.fp",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem Task.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem Task.job.fp"
- * DNS Communications:
- "type": "A",
- "request": "harri2gud.duckdns.org",
- "answers":
- * Domains:
- "ip": "79.134.225.74",
- "domain": "harri2gud.duckdns.org"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Switzerland",
- "ip": "79.134.225.74",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement