analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SWIFTMT202_105RD119002425.uue

Full analysis: https://app.any.run/tasks/4ab02310-1092-43cf-b3d5-4c74e6d1315a
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: September 11, 2019, 08:41:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

EC2D1C1F67DFCB95D4D6D10C76DAFFB9

SHA1:

375C583DD5AC7ADB4261D58F9B73671668222726

SHA256:

020F6B37B0F2B014B9684FEEA0CC38454879D33228D16045D71884C1A1F6B581

SSDEEP:

24576:6zZipy1/cyykeBvvgIPqP8MVBjdFyjp7FHiprDrFkRgJFAIWNTyFO:MZipbyzIvvRqUY7YtFkrF+AFARTyQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • xbb.exe (PID: 3280)
      • SWIFTMT202_105RD119002425.exe (PID: 3248)
    • Changes the autorun value in the registry

      • xbb.exe (PID: 3280)
    • Connects to CnC server

      • RegSvcs.exe (PID: 3032)
    • NANOCORE was detected

      • RegSvcs.exe (PID: 3032)
  • SUSPICIOUS

    • Executes scripts

      • SWIFTMT202_105RD119002425.exe (PID: 3248)
    • Connects to unusual port

      • RegSvcs.exe (PID: 3032)
    • Creates files in the user directory

      • RegSvcs.exe (PID: 3032)
    • Executable content was dropped or overwritten

      • SWIFTMT202_105RD119002425.exe (PID: 3248)
      • WinRAR.exe (PID: 3576)
    • Drop AutoIt3 executable file

      • SWIFTMT202_105RD119002425.exe (PID: 3248)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • SWIFTMT202_105RD119002425.exe (PID: 3248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe swiftmt202_105rd119002425.exe wscript.exe no specs xbb.exe #NANOCORE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3576"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SWIFTMT202_105RD119002425.uue.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3248"C:\Users\admin\AppData\Local\Temp\Rar$EXa3576.29740\SWIFTMT202_105RD119002425.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3576.29740\SWIFTMT202_105RD119002425.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3912"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\95444044\vhe.vbe" C:\Windows\System32\WScript.exeSWIFTMT202_105RD119002425.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3280"C:\Users\admin\AppData\Local\Temp\95444044\xbb.exe" pnn=gboC:\Users\admin\AppData\Local\Temp\95444044\xbb.exe
WScript.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Version:
3, 3, 8, 1
3032"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
xbb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.7.3062.0 built by: NET472REL1
Total events
1 355
Read events
1 277
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
79
Unknown types
1

Dropped files

PID
Process
Filename
Type
3248SWIFTMT202_105RD119002425.exeC:\Users\admin\AppData\Local\Temp\95444044\pnn=gbo
MD5:
SHA256:
3248SWIFTMT202_105RD119002425.exeC:\Users\admin\AppData\Local\Temp\95444044\bjg.dlltext
MD5:E3645D8384176E8E3A2FFD12AADB93E0
SHA256:4B89C967BF8EF8BBB0DBF46FFCC0AFBE0091B8025FC8405181BECF59DE07D3EA
3248SWIFTMT202_105RD119002425.exeC:\Users\admin\AppData\Local\Temp\95444044\lca.icotext
MD5:AFD089611D7BAB1FFE6217ACF621C78D
SHA256:5E8C1C63777B4C39A8572D79A8FDCBCDAF9C6569F3E28A71B995EAAB26210293
3248SWIFTMT202_105RD119002425.exeC:\Users\admin\AppData\Local\Temp\95444044\cgb.bmptext
MD5:F02E2BB70EEFB9E23C07D21D70859CEF
SHA256:EC91CC4E374D3213560D3D1BC72C71E9A89AF7CC009D4C135C4139E6971708B8
3576WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3576.29740\SWIFTMT202_105RD119002425.exeexecutable
MD5:ACEF3ABFBDE27400E0737FB780F6A3CC
SHA256:D9DCDEF4FEA2521509BB3EEAE3DAB75392AC903891F0F3161A3A30FF6F26010F
3248SWIFTMT202_105RD119002425.exeC:\Users\admin\AppData\Local\Temp\95444044\rqu.icmtext
MD5:0D94A4461ED4D1FB22317ED0D8DFDDF3
SHA256:7AF05337FCB714425C5F327101F6A379CC7AB1111A7BB4F6197A27E617097A19
3248SWIFTMT202_105RD119002425.exeC:\Users\admin\AppData\Local\Temp\95444044\kma.exetext
MD5:D9403433849C6228287B693CC112EC41
SHA256:12FDD0D0C97578AA59B3D804B32B266C7C7B2616A63760916F5749C5686D5746
3248SWIFTMT202_105RD119002425.exeC:\Users\admin\AppData\Local\Temp\95444044\vhe.vbetext
MD5:46D2F1E60C951EEF6EFDE06BF6267E93
SHA256:19AAB1D4BF84D082813FE7CDAC94E6A64822EC55549ED1169B6D2FFDADF822A5
3248SWIFTMT202_105RD119002425.exeC:\Users\admin\AppData\Local\Temp\95444044\cjr.ppttext
MD5:682D76EDFCFA2FDF87D50781819F2C08
SHA256:61A8EF10CEA5059D1520087254F6916575D3EB3E9076AA14DA103191E5EDAFBA
3248SWIFTMT202_105RD119002425.exeC:\Users\admin\AppData\Local\Temp\95444044\est.xmltext
MD5:F0A0368C679EF4E9E3AAB8F4E1215AE7
SHA256:05BD4FF761FBB98CC423CBBBD3E0D81389E6AE3A8B8B76B8B61A9F0F63749A44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3032
RegSvcs.exe
8.8.8.8:53
Google Inc.
US
whitelisted
3032
RegSvcs.exe
79.134.225.110:54985
1gstemos.duckdns.org
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
1gstemos.duckdns.org
  • 79.134.225.110
malicious

Threats

PID
Process
Class
Message
3032
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3032
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3032
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
3032
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3032
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3032
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3032
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3032
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3032
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3032
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
12 ETPRO signatures available at the full report
No debug info