URL: | https://sistemkalip.net/flycheck/Ticketmasterconfirmation3883948383948394.7z |
Full analysis: | https://app.any.run/tasks/cb0e97af-6122-4181-87e5-842dedde0d77 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | June 12, 2019, 08:05:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 6884DB91DFD3C899E7EA5154743F67A0 |
SHA1: | 7D7044129217BEEC81AA1235DA32303E21716BE9 |
SHA256: | 14167E5C98338AB438F5C3DCB71ADBA2B47C3455341D983ADA5B1B6DC5258281 |
SSDEEP: | 3:N8BHoC5D1SGln5HYnWjR/cFs:2ZV5PHmFs |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2952 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://sistemkalip.net/flycheck/Ticketmasterconfirmation3883948383948394.7z | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2 | ||||
3984 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.0.232410091\1637758825" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1156 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2 | ||||
2864 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.6.1110181118\100154082" -childID 1 -isForBrowser -prefsHandle 840 -prefMapHandle 1728 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1724 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
3956 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.13.1870370291\892492357" -childID 2 -isForBrowser -prefsHandle 2676 -prefMapHandle 2680 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 2692 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
2180 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.20.2077284520\880786582" -childID 3 -isForBrowser -prefsHandle 3468 -prefMapHandle 3472 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 3484 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
3312 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ticketmasterconfirmation3883948383948394.7z" | C:\Program Files\WinRAR\WinRAR.exe | firefox.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3176 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3312.25214\Ticketmasterconfirmation3883948383948394.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3312.25214\Ticketmasterconfirmation3883948383948394.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Description: CalcClient Exit code: 0 Version: 1.0.0.0 | ||||
3448 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RpvhnUxHsuK" /XML "C:\Users\admin\AppData\Local\Temp\tmpF660.tmp" | C:\Windows\System32\schtasks.exe | — | Ticketmasterconfirmation3883948383948394.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4012 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3312.25214\Ticketmasterconfirmation3883948383948394.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3312.25214\Ticketmasterconfirmation3883948383948394.exe | Ticketmasterconfirmation3883948383948394.exe | |
User: admin Integrity Level: MEDIUM Description: CalcClient Version: 1.0.0.0 | ||||
2140 | "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\admin\AppData\Local\Temp\1m4ka0ii.4nd" | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe | Ticketmasterconfirmation3883948383948394.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
2952 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2952 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\trash23672 | — | |
MD5:— | SHA256:— | |||
2952 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
2952 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
2952 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal | — | |
MD5:— | SHA256:— | |||
2952 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-malware-simple.sbstore | — | |
MD5:— | SHA256:— | |||
2952 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-malware-simple.pset | — | |
MD5:— | SHA256:— | |||
2952 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-phish-simple.sbstore | — | |
MD5:— | SHA256:— | |||
2952 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-phish-simple.pset | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2952 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 172.217.16.195:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2952 | firefox.exe | GET | 200 | 2.16.186.50:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
2952 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2952 | firefox.exe | GET | 200 | 2.16.186.50:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
2952 | firefox.exe | POST | 200 | 172.217.16.195:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2952 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2952 | firefox.exe | 172.217.21.202:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2952 | firefox.exe | 172.217.16.195:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2952 | firefox.exe | 52.25.98.1:443 | shavar.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2952 | firefox.exe | 213.238.177.12:443 | sistemkalip.net | Dgn Teknoloji A.s. | TR | unknown |
2952 | firefox.exe | 13.32.158.45:443 | tracking-protection.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
2952 | firefox.exe | 2.16.186.50:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
2952 | firefox.exe | 34.215.70.240:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2952 | firefox.exe | 13.32.159.68:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
2952 | firefox.exe | 52.34.127.169:443 | aus5.mozilla.org | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
sistemkalip.net |
| unknown |
detectportal.firefox.com |
| whitelisted |
aus5.mozilla.org |
| whitelisted |
balrog-aus5.r53-2.services.mozilla.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
tiles.r53-2.services.mozilla.com |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4012 | Ticketmasterconfirmation3883948383948394.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
4012 | Ticketmasterconfirmation3883948383948394.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4012 | Ticketmasterconfirmation3883948383948394.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4012 | Ticketmasterconfirmation3883948383948394.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4012 | Ticketmasterconfirmation3883948383948394.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4012 | Ticketmasterconfirmation3883948383948394.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4012 | Ticketmasterconfirmation3883948383948394.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
4012 | Ticketmasterconfirmation3883948383948394.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
4012 | Ticketmasterconfirmation3883948383948394.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore/NetWire.RAT |
1844 | remcos.exe | A Network Trojan was detected | ET TROJAN Remcos RAT Checkin 23 |