analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Scan_0023.pdf.z

Full analysis: https://app.any.run/tasks/32d04a27-3b0d-41b8-994c-95ebf6ac3443
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: November 08, 2018, 11:18:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

35E44B944905BB6C9651F3A84A6303B9

SHA1:

45DA5C96E8792DDDE5E88DB34CA4C0A2EFF7565C

SHA256:

09F36122D82CB4649486D07C81825F43EEB5B29BC20F91BF6CEC25ED3DB55C7E

SSDEEP:

12288:0O/QrXWvGt+HaENJLsuIL8Wju08Xx7ayHjpLDI/V+idCB3xMLNc2K:L/QrXWvGtMaENJYuA8WNkQyDVwABhMLi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • Scan_0023.exe (PID: 2824)
    • Application was dropped or rewritten from another process

      • Scan_0023.exe (PID: 3428)
      • Scan_0023.exe (PID: 3304)
      • Scan_0023.exe (PID: 2824)
    • Connects to CnC server

      • Scan_0023.exe (PID: 2824)
    • NanoCore was detected

      • Scan_0023.exe (PID: 2824)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 2636)
  • SUSPICIOUS

    • Connects to unusual port

      • Scan_0023.exe (PID: 2824)
    • Executable content was dropped or overwritten

      • Scan_0023.exe (PID: 2824)
      • WinRAR.exe (PID: 2940)
    • Application launched itself

      • Scan_0023.exe (PID: 3304)
    • Creates files in the user directory

      • Scan_0023.exe (PID: 2824)
    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 348)
    • Executes scripts

      • Scan_0023.exe (PID: 2824)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • Scan_0023.exe (PID: 2824)
      • WinRAR.exe (PID: 2940)
    • Reads CPU info

      • firefox.exe (PID: 2704)
      • firefox.exe (PID: 2564)
      • firefox.exe (PID: 3780)
      • firefox.exe (PID: 3240)
    • Application launched itself

      • firefox.exe (PID: 3240)
    • Creates files in the user directory

      • firefox.exe (PID: 3240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: Scan_0023.exe
PackingMethod: Normal
ModifyDate: 2018:11:08 10:56:20
OperatingSystem: Win32
UncompressedSize: 749568
CompressedSize: 435784
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe scan_0023.exe no specs #NANOCORE scan_0023.exe scan_0023.exe no specs vbc.exe vbc.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe pingsender.exe

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Scan_0023.pdf.z.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3304"C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2940.45899\scan_0023.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2824"C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exe
Scan_0023.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2940.45899\scan_0023.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
3428"C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exe" 2 2824 1697296C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exeScan_0023.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2940.45899\scan_0023.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2636"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\admin\AppData\Local\Temp\nvjr5z52.xsv"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
Scan_0023.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
348"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\admin\AppData\Local\Temp\myrkgmmq.ukl"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exeScan_0023.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3240"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2704"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.0.1469293502\697823560" -childID 1 -isForBrowser -prefsHandle 1392 -prefsLen 8309 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 980 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2564"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.6.431083515\535342809" -childID 2 -isForBrowser -prefsHandle 2392 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2360 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
3780"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.12.938385936\339211145" -childID 3 -isForBrowser -prefsHandle 2948 -prefsLen 11808 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2968 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
950
Read events
912
Write events
38
Delete events
0

Modification events

(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2940) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Scan_0023.pdf.z.rar
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
2
Suspicious files
38
Text files
18
Unknown types
27

Dropped files

PID
Process
Filename
Type
2636vbc.exeC:\Users\admin\AppData\Local\Temp\nvjr5z52.xsv
MD5:
SHA256:
348vbc.exeC:\Users\admin\AppData\Local\Temp\myrkgmmq.ukl
MD5:
SHA256:
3240firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3240firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3240firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3240firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
3240firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
3240firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
3240firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
3240firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:707C12070C52E55C2A996AC15E219B95
SHA256:6C5410C655C8EFC48D123ABE708C8940A4218072C0DAF85E03AB45DA6D2CE6B9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
46
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3240
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3240
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3240
firefox.exe
GET
200
2.16.186.50:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
3240
firefox.exe
POST
200
216.58.215.238:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2824
Scan_0023.exe
191.101.22.47:7000
UK Dedicated Servers Limited
GB
malicious
3240
firefox.exe
172.217.168.74:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3240
firefox.exe
216.58.215.238:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3240
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
3240
firefox.exe
93.184.220.29:80
cs9.wac.phicdn.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3240
firefox.exe
52.222.173.201:443
snippets.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
1988
pingsender.exe
52.34.167.99:443
incoming.telemetry.mozilla.org
Amazon.com, Inc.
US
unknown
3240
firefox.exe
52.43.40.243:443
tiles.r53-2.services.mozilla.com
Amazon.com, Inc.
US
unknown
3240
firefox.exe
34.255.82.141:443
location.services.mozilla.com
Amazon.com, Inc.
IE
unknown
3240
firefox.exe
34.208.206.25:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
search.services.mozilla.com
  • 34.208.206.25
  • 52.39.244.38
  • 34.213.14.244
whitelisted
search.r53-2.services.mozilla.com
  • 34.213.14.244
  • 52.39.244.38
  • 34.208.206.25
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
tiles.r53-2.services.mozilla.com
  • 52.34.107.172
  • 52.41.78.152
  • 52.41.60.30
  • 52.40.109.206
  • 52.39.131.77
  • 52.37.207.140
  • 52.10.130.148
  • 52.43.40.243
whitelisted
tiles.services.mozilla.com
  • 52.43.40.243
  • 52.10.130.148
  • 52.37.207.140
  • 52.39.131.77
  • 52.40.109.206
  • 52.41.60.30
  • 52.41.78.152
  • 52.34.107.172
whitelisted
snippets.cdn.mozilla.net
  • 52.222.173.201
whitelisted
drcwo519tnci7.cloudfront.net
  • 52.222.173.201
shared

Threats

PID
Process
Class
Message
2824
Scan_0023.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2824
Scan_0023.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
2824
Scan_0023.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
2824
Scan_0023.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
2824
Scan_0023.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
2824
Scan_0023.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
2824
Scan_0023.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
2824
Scan_0023.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
2824
Scan_0023.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
2824
Scan_0023.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
46 ETPRO signatures available at the full report
No debug info