analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Scan_0023.pdf.z

Full analysis: https://app.any.run/tasks/f5fcd5ca-8c38-4163-b10e-bf889ecd6b9e
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: November 08, 2018, 11:49:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

35E44B944905BB6C9651F3A84A6303B9

SHA1:

45DA5C96E8792DDDE5E88DB34CA4C0A2EFF7565C

SHA256:

09F36122D82CB4649486D07C81825F43EEB5B29BC20F91BF6CEC25ED3DB55C7E

SSDEEP:

12288:0O/QrXWvGt+HaENJLsuIL8Wju08Xx7ayHjpLDI/V+idCB3xMLNc2K:L/QrXWvGtMaENJYuA8WNkQyDVwABhMLi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Scan_0023.exe (PID: 1860)
      • Scan_0023.exe (PID: 2900)
      • Scan_0023.exe (PID: 896)
    • NanoCore was detected

      • Scan_0023.exe (PID: 1860)
    • Changes the autorun value in the registry

      • Scan_0023.exe (PID: 1860)
    • Connects to CnC server

      • Scan_0023.exe (PID: 1860)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3128)
      • Scan_0023.exe (PID: 1860)
    • Application launched itself

      • Scan_0023.exe (PID: 2900)
    • Connects to unusual port

      • Scan_0023.exe (PID: 1860)
    • Creates files in the user directory

      • Scan_0023.exe (PID: 1860)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3128)
      • Scan_0023.exe (PID: 1860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: Scan_0023.exe
PackingMethod: Normal
ModifyDate: 2018:11:08 10:56:20
OperatingSystem: Win32
UncompressedSize: 749568
CompressedSize: 435784
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe scan_0023.exe no specs #NANOCORE scan_0023.exe scan_0023.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3128"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Scan_0023.pdf.z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2900"C:\Users\admin\AppData\Local\Temp\Rar$EXa3128.33005\Scan_0023.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3128.33005\Scan_0023.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3128.33005\scan_0023.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1860"C:\Users\admin\AppData\Local\Temp\Rar$EXa3128.33005\Scan_0023.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3128.33005\Scan_0023.exe
Scan_0023.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3128.33005\scan_0023.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
896"C:\Users\admin\AppData\Local\Temp\Rar$EXa3128.33005\Scan_0023.exe" 2 1860 6161828C:\Users\admin\AppData\Local\Temp\Rar$EXa3128.33005\Scan_0023.exeScan_0023.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3128.33005\scan_0023.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
444
Read events
431
Write events
13
Delete events
0

Modification events

(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3128) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Scan_0023.pdf.z
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
2
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3128.33271\Scan_0023.exe
MD5:
SHA256:
1860Scan_0023.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:2EBEAE51136DB1B8EED3299214424C9A
SHA256:6E741A6026E4C1674EF34278D417A96559BBB7C3472C8D1A652E6378E34E3920
1860Scan_0023.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:606FAB33CE576911C9753E0894A7F388
SHA256:2F3782AC17442A0A10C885A672A3C88A07AFC5CA63A8D03E5F813A6784F4416C
3128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3128.33005\Scan_0023.exeexecutable
MD5:606FAB33CE576911C9753E0894A7F388
SHA256:2F3782AC17442A0A10C885A672A3C88A07AFC5CA63A8D03E5F813A6784F4416C
1860Scan_0023.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.datbs
MD5:32D0AAE13696FF7F8AF33B2D22451028
SHA256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1860
Scan_0023.exe
191.101.22.47:7000
UK Dedicated Servers Limited
GB
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1860
Scan_0023.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
5 ETPRO signatures available at the full report
No debug info