download: | Scan_0023.pdf.z |
Full analysis: | https://app.any.run/tasks/32d04a27-3b0d-41b8-994c-95ebf6ac3443 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | November 08, 2018, 11:18:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 35E44B944905BB6C9651F3A84A6303B9 |
SHA1: | 45DA5C96E8792DDDE5E88DB34CA4C0A2EFF7565C |
SHA256: | 09F36122D82CB4649486D07C81825F43EEB5B29BC20F91BF6CEC25ED3DB55C7E |
SSDEEP: | 12288:0O/QrXWvGt+HaENJLsuIL8Wju08Xx7ayHjpLDI/V+idCB3xMLNc2K:L/QrXWvGtMaENJYuA8WNkQyDVwABhMLi |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | Scan_0023.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2018:11:08 10:56:20 |
OperatingSystem: | Win32 |
UncompressedSize: | 749568 |
CompressedSize: | 435784 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2940 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Scan_0023.pdf.z.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
3304 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2824 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exe | Scan_0023.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
3428 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exe" 2 2824 1697296 | C:\Users\admin\AppData\Local\Temp\Rar$EXa2940.45899\Scan_0023.exe | — | Scan_0023.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
2636 | "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\admin\AppData\Local\Temp\nvjr5z52.xsv" | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe | Scan_0023.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 Modules
| |||||||||||||||
348 | "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\admin\AppData\Local\Temp\myrkgmmq.ukl" | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe | — | Scan_0023.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 Modules
| |||||||||||||||
3240 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 Modules
| |||||||||||||||
2704 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.0.1469293502\697823560" -childID 1 -isForBrowser -prefsHandle 1392 -prefsLen 8309 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 980 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 61.0.2 Modules
| |||||||||||||||
2564 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.6.431083515\535342809" -childID 2 -isForBrowser -prefsHandle 2392 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2360 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 61.0.2 Modules
| |||||||||||||||
3780 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.12.938385936\339211145" -childID 3 -isForBrowser -prefsHandle 2948 -prefsLen 11808 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2968 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 61.0.2 Modules
|
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Scan_0023.pdf.z.rar | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2636 | vbc.exe | C:\Users\admin\AppData\Local\Temp\nvjr5z52.xsv | — | |
MD5:— | SHA256:— | |||
348 | vbc.exe | C:\Users\admin\AppData\Local\Temp\myrkgmmq.ukl | — | |
MD5:— | SHA256:— | |||
3240 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3240 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
3240 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
3240 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3240 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3240 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3240 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3240 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:707C12070C52E55C2A996AC15E219B95 | SHA256:6C5410C655C8EFC48D123ABE708C8940A4218072C0DAF85E03AB45DA6D2CE6B9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3240 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3240 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3240 | firefox.exe | GET | 200 | 2.16.186.50:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
3240 | firefox.exe | POST | 200 | 216.58.215.238:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2824 | Scan_0023.exe | 191.101.22.47:7000 | — | UK Dedicated Servers Limited | GB | malicious |
3240 | firefox.exe | 172.217.168.74:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3240 | firefox.exe | 216.58.215.238:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3240 | firefox.exe | 2.16.186.50:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
3240 | firefox.exe | 93.184.220.29:80 | cs9.wac.phicdn.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3240 | firefox.exe | 52.222.173.201:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
1988 | pingsender.exe | 52.34.167.99:443 | incoming.telemetry.mozilla.org | Amazon.com, Inc. | US | unknown |
3240 | firefox.exe | 52.43.40.243:443 | tiles.r53-2.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3240 | firefox.exe | 34.255.82.141:443 | location.services.mozilla.com | Amazon.com, Inc. | IE | unknown |
3240 | firefox.exe | 34.208.206.25:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
tiles.r53-2.services.mozilla.com |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
drcwo519tnci7.cloudfront.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2824 | Scan_0023.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
2824 | Scan_0023.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
2824 | Scan_0023.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
2824 | Scan_0023.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
2824 | Scan_0023.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
2824 | Scan_0023.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
2824 | Scan_0023.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
2824 | Scan_0023.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
2824 | Scan_0023.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
2824 | Scan_0023.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |