Malicious
Classifications
Spyware Backdoor
Threat Names
NanoCore
Dynamic Analysis Report
Created on 2022-08-05T19:57:54+00:00
3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3.exe
Windows Exe (x86-32)
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3.exe | Sample File | Binary |
Malicious
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0041E792 |
Size Of Code | 0x0001C800 |
Size Of Initialized Data | 0x00010C00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2015-02-22 01:49 (UTC+1) |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x0001C798 | 0x0001C800 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.6 |
.reloc | 0x00420000 | 0x0000000C | 0x00000200 | 0x0001CA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
.rsrc | 0x00422000 | 0x00010860 | 0x00010A00 | 0x0001CC00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 8.0 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x0001E760 | 0x0001C960 | 0x00000000 |
Memory Dumps (33)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3.exe | 1 | 0x00400000 | 0x00433FFF | Relevant Image | 64-bit | - |
...
|
||
3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3.exe | 1 | 0x00400000 | 0x00433FFF | Final Dump | 64-bit | - |
...
|
||
buffer | 1 | 0x1AE60000 | 0x1AE64FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 1 | 0x1AE70000 | 0x1AE83FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 1 | 0x02070000 | 0x02072FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 1 | 0x1BD3B000 | 0x1BD3FFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 1 | 0x1BBC6000 | 0x1BBCFFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 1 | 0x1B8EE000 | 0x1B8EFFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 1 | 0x1B7EC000 | 0x1B7EFFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 1 | 0x1AD5C000 | 0x1AD5FFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 1 | 0x0013D000 | 0x0014FFFF | First Network Behavior | 64-bit | - |
...
|
||
3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3.exe | 1 | 0x00400000 | 0x00433FFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 1 | 0x00560000 | 0x0056CFFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
agpsvc.exe | 2 | 0x00400000 | 0x00433FFF | Relevant Image | 64-bit | - |
...
|
||
buffer | 2 | 0x022B0000 | 0x022B4FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x02320000 | 0x02333FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x02150000 | 0x02152FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x1AF60000 | 0x1AF6CFFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x1AF70000 | 0x1AF7CFFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x1B8E0000 | 0x1B8E5FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x1B8F0000 | 0x1B8FEFFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x1B900000 | 0x1B909FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x1B910000 | 0x1B938FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x00580000 | 0x0058EFFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x1BEB0000 | 0x1BF39FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 2 | 0x1C36B000 | 0x1C36FFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 2 | 0x1BE86000 | 0x1BE8FFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 2 | 0x1BBAE000 | 0x1BBAFFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 2 | 0x1BAAC000 | 0x1BAAFFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 2 | 0x1AE5C000 | 0x1AE5FFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 2 | 0x0013D000 | 0x0014FFFF | First Network Behavior | 64-bit | - |
...
|
||
agpsvc.exe | 2 | 0x00400000 | 0x00433FFF | First Network Behavior | 64-bit | - |
...
|
||
agpsvc.exe | 2 | 0x00400000 | 0x00433FFF | Final Dump | 64-bit | - |
...
|
YARA Matches (1)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
NanoCoreRAT | NanoCore RAT | Backdoor |
5/5
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\storage.dat | Dropped File | Stream |
Clean
|
...
|
»
C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\catalog.dat | Dropped File | Stream |
Clean
|
...
|
»
C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\Logs\RDhJ0CNFevzX\KB_26088703.dat | Dropped File | Stream |
Clean
|
...
|
»
C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\settings.bak | Dropped File | Stream |
Clean
|
...
|
»
C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\settings.bak | Dropped File | Stream |
Clean
|
...
|
»
C:\Users\RDhJ0CNFevzX\AppData\Roaming\03845CB8-7441-4A2F-8C0F-C90408AF5778\run.dat | Dropped File | Stream |
Clean
|
...
|
»
37af1cc5a7606c4cce476c2324b066c3a7f625eee010baf8347937ad13fd4081 | Extracted File | Image |
Clean
|
»