analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

812032185656-107-0_attach.1.Product Specification_pdf.arj.rar

Full analysis: https://app.any.run/tasks/cd2111a2-9938-42ab-9229-85bf9f107c33
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: November 08, 2018, 14:51:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
nanocore
rat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

069F862B6DD101A4088C61F183C1921D

SHA1:

793C25A35F141F9CBACB7F960217B35B4C22ECB3

SHA256:

00CE25C917CA3773F0C0E68AF77B17339F30C4C79FD7069E402BE4F200590043

SSDEEP:

12288:+rHG8b/whRy9sWjAr71OPvykgN/2HV6n2XCNPNUH:gm8rwmaR71cyNv2yje

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • windows.exe (PID: 1624)
      • Product Specification_pdf.exe (PID: 2332)
      • windows.exe (PID: 3020)

    • Writes to a start menu file

      • windows.exe (PID: 1624)

    • NanoCore was detected

      • windows.exe (PID: 3020)

    • Changes the autorun value in the registry

      • windows.exe (PID: 3020)

    • Connects to CnC server

      • windows.exe (PID: 3020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Product Specification_pdf.exe (PID: 2332)
      • windows.exe (PID: 3020)

    • Creates files in the user directory

      • Product Specification_pdf.exe (PID: 2332)
      • windows.exe (PID: 3020)
      • windows.exe (PID: 1624)

    • Starts itself from another location

      • Product Specification_pdf.exe (PID: 2332)

    • Application launched itself

      • windows.exe (PID: 1624)

    • Connects to unusual port

      • windows.exe (PID: 3020)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: Product Specification_pdf.exe
PackingMethod: Normal
ModifyDate: 2018:11:07 23:46:09
OperatingSystem: Win32
UncompressedSize: 774656
CompressedSize: 443311
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs product specification_pdf.exe windows.exe #NANOCORE windows.exe

Process information

PID
CMD
Path
Indicators
Parent process
3164"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\812032185656-107-0_attach.1.Product Specification_pdf.arj.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2332"C:\Users\admin\Desktop\Product Specification_pdf.exe" C:\Users\admin\Desktop\Product Specification_pdf.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1624"C:\Users\admin\AppData\Roaming\java\windows.exe"C:\Users\admin\AppData\Roaming\java\windows.exe
Product Specification_pdf.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3020"C:\Users\admin\AppData\Roaming\java\windows.exe"C:\Users\admin\AppData\Roaming\java\windows.exe
windows.exe
User:
admin
Integrity Level:
MEDIUM
Total events
461
Read events
448
Write events
13
Delete events
0

Modification events

(PID) Process:(3164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3164) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\812032185656-107-0_attach.1.Product Specification_pdf.arj.rar
(PID) Process:(3164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:writeName:Band56_0
Value:
38000000730100000402000000000000D4D0C800000000000000000000000000FA0103000000000039000000B40200000000000001000000
(PID) Process:(3164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:writeName:Band56_1
Value:
38000000730100000500000000000000D4D0C800000000000000000000000000F201040000000000160000002A0000000000000002000000
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3164.22545\Product Specification_pdf.exe
MD5:
SHA256:
2332Product Specification_pdf.exeC:\Users\admin\AppData\Roaming\java\windows.exe:ZoneIdentifier
MD5:
SHA256:
3020windows.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:E516E3C28325786BCB034016A84F7DFF
SHA256:9C0036516F6E943D7B8D1891D5E066212EEB2022136BA6398816B07E46D592C5
1624windows.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.vbstext
MD5:392F4EB280795F4F33466FBBC2023DC5
SHA256:EB06B73072CBAEDFE09D97DA6CD5D44B14D0FA40B656E237F392EC1CA958FF22
3020windows.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:575850FD3367AD73BBFAA0069C4A9A44
SHA256:88648629309BCF0D453E15E357D2197B97207665E2FB24CAA4F8AD2517237259
2332Product Specification_pdf.exeC:\Users\admin\AppData\Roaming\java\windows.exeexecutable
MD5:575850FD3367AD73BBFAA0069C4A9A44
SHA256:88648629309BCF0D453E15E357D2197B97207665E2FB24CAA4F8AD2517237259
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3020
windows.exe
93.87.38.13:9656
TELEKOM SRBIJA a.d.
RS
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3020
windows.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
3020
windows.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3020
windows.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3020
windows.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
15 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
812032185656-107-0_attach.1.Product Specification_pdf.arj.rar