analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

AdviceRemittanceConfirmation_BankDetailsAprroved934857438093Output.js

Full analysis: https://app.any.run/tasks/1bb60165-778f-43a7-8726-ff440cb75ddd
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: April 15, 2019, 07:04:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
rat
nanocore
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

9E8550033DD6F88BA9A07309394ABB11

SHA1:

A71D787348796593C7F4010C8F5912B44D0BD11B

SHA256:

1C14F62D89D7DC9ACCE65985EC84E8CA2277D8903A13BFD5482EEC17FEFF57B7

SSDEEP:

24576:1ik/d96Q9JKHZPjo3QN83k9PyPYquL3kekZuSEAXYX/dLlvTguiYzHbrkdU2n:1RmWA8oPyQqmkhExpJTguKn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr (PID: 3192)
      • ejn.exe (PID: 3504)
      • ejn.exe (PID: 2736)
      • RegSvcs.exe (PID: 2516)
    • Changes the autorun value in the registry

      • ejn.exe (PID: 3504)
      • RegSvcs.exe (PID: 2516)
    • NanoCore was detected

      • RegSvcs.exe (PID: 2516)
  • SUSPICIOUS

    • Drop AutoIt3 executable file

      • AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr (PID: 3192)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3568)
      • AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr (PID: 3192)
      • RegSvcs.exe (PID: 2516)
    • Starts application with an unusual extension

      • WinRAR.exe (PID: 3568)
    • Application launched itself

      • ejn.exe (PID: 2736)
    • Creates files in the user directory

      • RegSvcs.exe (PID: 2516)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr (PID: 3192)
      • ejn.exe (PID: 2736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start wscript.exe no specs winrar.exe adviceremittanceconfirmation_bankdetailsaprroved934857438.scr ejn.exe no specs ejn.exe #NANOCORE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3008"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\AdviceRemittanceConfirmation_BankDetailsAprroved934857438093Output.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3568"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\yvtVtlDMtalW.zip"C:\Program Files\WinRAR\WinRAR.exe
WScript.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3192"C:\Users\admin\AppData\Local\Temp\Rar$DIa3568.38113\AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIa3568.38113\AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2736"C:\Users\admin\AppData\Local\Temp\04286461\ejn.exe" htr=pbc C:\Users\admin\AppData\Local\Temp\04286461\ejn.exeAdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
3504C:\Users\admin\AppData\Local\Temp\04286461\ejn.exe C:\Users\admin\AppData\Local\Temp\04286461\ZUNRDC:\Users\admin\AppData\Local\Temp\04286461\ejn.exe
ejn.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
2516"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
ejn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.6.1055.0 built by: NETFXREL2
Total events
1 196
Read events
1 164
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
53
Unknown types
0

Dropped files

PID
Process
Filename
Type
3192AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scrC:\Users\admin\AppData\Local\Temp\04286461\bmj.ppttext
MD5:FB36F036667429D8FF88A02E3F3BD180
SHA256:D808C2177B423E41D36F45A93A260C6EFC4D2748CDCE295A4B5930311E58047D
3192AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scrC:\Users\admin\AppData\Local\Temp\04286461\hxx.txttext
MD5:DE4C11115DD3D29B4F5E80720351BACC
SHA256:FE79ECD29719575B3A2F0F89CA4E634A701B66AB11109E46826191A426497188
3192AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scrC:\Users\admin\AppData\Local\Temp\04286461\qgg.docxtext
MD5:B24917167CE55A9E78C11DEEC7DA3111
SHA256:2EEDFD6A775DD03B9CFFD571098768119226B5A545FF82F21655CC96EA0B2CE1
3008WScript.exeC:\Users\admin\AppData\Local\Temp\yvtVtlDMtalW.zipcompressed
MD5:F108EC28EFE8711ABBDF66FAD27B997D
SHA256:5C0614C5A8CE0FC6FAC2C9E2320C21598095311980A57FCE437C464FE5E71D1E
3192AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scrC:\Users\admin\AppData\Local\Temp\04286461\StructureConstants.ppttext
MD5:FA5F4B948C882462025886F7AC55F250
SHA256:A1AE6590BCB49E53C5EEEDE98133C71AD99F94A129005A144004663BCEDEB11C
3192AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scrC:\Users\admin\AppData\Local\Temp\04286461\vks.icotext
MD5:90A9244CB76BB8F9B4F1575589469B37
SHA256:EFAADA4B963DF585CC963997BBC0ECB36792719BCF75ACA92DC08E88D93A336B
3192AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scrC:\Users\admin\AppData\Local\Temp\04286461\gfd.icotext
MD5:8862F172EE231365AF4C1BE35A330311
SHA256:42E20106E73F21E559D540BC8032CB85248F2A3DE5F96CFD1D5BAAA67F310E99
3192AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scrC:\Users\admin\AppData\Local\Temp\04286461\owq.dattext
MD5:A5A8BBC8F3AD4F8E1C8D1D4407821766
SHA256:C384F3635F70E0370C17A45FECFEE50331394F528D67B14BD871C21FD3E99467
3192AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scrC:\Users\admin\AppData\Local\Temp\04286461\jvs.jpgtext
MD5:D33CF9FB60E886191B25314D193F7839
SHA256:D1616CB061A3393A603CF0BDC05CDC36E289C3E8FFC9DE70A51B1D571A8E211F
3192AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scrC:\Users\admin\AppData\Local\Temp\04286461\loi.mp3text
MD5:106407DA17E58B96BE4D733FC99BCF62
SHA256:21F8E74B60479B3C3B58F8B535441EFC95F8D0C7D649A86A8F501380D7A9488D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2516
RegSvcs.exe
8.8.8.8:53
Google Inc.
US
whitelisted
2516
RegSvcs.exe
91.192.100.18:64599
stannanoserve.duckdns.org
SOFTplus Entwicklungen GmbH
CH
malicious
2516
RegSvcs.exe
79.134.225.23:64599
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
stannanoserve.duckdns.org
  • 91.192.100.18
malicious

Threats

PID
Process
Class
Message
2516
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info