analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.dropbox.com/s/96wq9xiuwr46yj2/Western%20union%20NEW.rar?dl=1

Full analysis: https://app.any.run/tasks/44c55db7-5031-49f7-873e-181ee4f8b4c5
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: October 19, 2020, 21:35:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MD5:

EB18CE2DE047904E0FCAC714EBCE500C

SHA1:

069482ACF9DA93A3FA8CD33BA3D083FEE37F0EAD

SHA256:

065D85B9FA7ACA973CCDC7B25F34BE610DE778C11647E39ED573A06F6963F746

SSDEEP:

3:N8DSLcVHGk+UiSX1+fYLGr7OA:2OLHk+0X9LG//

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Western union NEW.exe (PID: 2900)
      • Western union NEW.exe (PID: 3652)

    • Uses Task Scheduler to run other applications

      • Western union NEW.exe (PID: 2900)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 960)

    • NANOCORE was detected

      • Western union NEW.exe (PID: 3652)

    • Changes the autorun value in the registry

      • Western union NEW.exe (PID: 3652)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3572)
      • Western union NEW.exe (PID: 2900)
      • Western union NEW.exe (PID: 3652)

    • Creates files in the user directory

      • Western union NEW.exe (PID: 2900)
      • Western union NEW.exe (PID: 3652)

    • Application launched itself

      • Western union NEW.exe (PID: 2900)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 552)
      • iexplore.exe (PID: 2492)

    • Creates files in the user directory

      • iexplore.exe (PID: 552)
      • iexplore.exe (PID: 2492)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2492)

    • Changes internet zones settings

      • iexplore.exe (PID: 2492)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2492)
      • iexplore.exe (PID: 552)

    • Application launched itself

      • iexplore.exe (PID: 2492)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2492)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe winrar.exe western union new.exe schtasks.exe no specs #NANOCORE western union new.exe

Process information

PID
CMD
Path
Indicators
Parent process
2492"C:\Program Files\Internet Explorer\iexplore.exe" https://www.dropbox.com/s/96wq9xiuwr46yj2/Western%20union%20NEW.rar?dl=1C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
552"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2492 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3572"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Western union NEW.rar"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2900"C:\Users\admin\AppData\Local\Temp\Rar$EXa3572.20540\Western union NEW.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3572.20540\Western union NEW.exe
WinRAR.exe
User:
admin
Company:
Molière
Integrity Level:
MEDIUM
Description:
Vivre sans
Exit code:
0
Version:
6.6.0.2
960"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpYlCF" /XML "C:\Users\admin\AppData\Local\Temp\tmp33D1.tmp"C:\Windows\System32\schtasks.exeWestern union NEW.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3652"{path}"C:\Users\admin\AppData\Local\Temp\Rar$EXa3572.20540\Western union NEW.exe
Western union NEW.exe
User:
admin
Company:
Molière
Integrity Level:
MEDIUM
Description:
Vivre sans
Version:
6.6.0.2
Total events
1 787
Read events
1 701
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
25
Text files
6
Unknown types
8

Dropped files

PID
Process
Filename
Type
552iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab44DE.tmp
MD5:
SHA256:
552iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar44DF.tmp
MD5:
SHA256:
552iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\LEUI6OGY.txt
MD5:
SHA256:
552iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\I32GGIPI.txt
MD5:
SHA256:
552iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Western union NEW.rar.t9x08t9.partial
MD5:
SHA256:
2492iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5BFBEDD3C0E276CA.TMP
MD5:
SHA256:
2492iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Western union NEW.rar.t9x08t9.partial:Zone.Identifier
MD5:
SHA256:
2492iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab2EEF.tmp
MD5:
SHA256:
2492iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar2EF0.tmp
MD5:
SHA256:
552iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619der
MD5:F015601AD339528FD173B9D3B2988E2C
SHA256:D86428471E16F63A5185B1BCC3E376D687548A45AB9C8B0E1257A7853C343562
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
31
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
552
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
552
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAVjKs1LcjoWx51wu2cBcuE%3D
US
der
471 b
whitelisted
552
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAblg20XjDYvMdklb%2BSFKGs%3D
US
der
471 b
whitelisted
552
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
552
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2492
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2492
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
552
iexplore.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
592 b
whitelisted
2492
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
552
iexplore.exe
162.125.66.1:443
www.dropbox.com
Dropbox, Inc.
DE
shared
552
iexplore.exe
162.125.66.15:443
uc0c9598dd56d96467aef7811e67.dl.dropboxusercontent.com
Dropbox, Inc.
DE
malicious
552
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2492
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2492
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3652
Western union NEW.exe
154.120.113.212:52943
johnsuccess18.ddns.net
Spectranet
NG
unknown
2492
iexplore.exe
204.79.197.200:443
ieonline.microsoft.com
Microsoft Corporation
US
whitelisted
3652
Western union NEW.exe
194.5.97.186:52943
FR
unknown

DNS requests

Domain
IP
Reputation
www.dropbox.com
  • 162.125.66.1
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
uc0c9598dd56d96467aef7811e67.dl.dropboxusercontent.com
  • 162.125.66.15
malicious
crl4.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
johnsuccess18.ddns.net
  • 154.120.113.212
malicious
ieonline.microsoft.com
  • 204.79.197.200
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.dropbox.com/s/96wq9xiuwr46yj2/Western%20union%20NEW.rar?dl=1