analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://sites.google.com/site/downloadarkivo22/NanoCore%20RAT%201.0.3.0%20Cracked.rar?attredirects=0&d=1

Full analysis: https://app.any.run/tasks/f4e79799-4fc6-46da-8e6d-e244b4a6ca37
Verdict: Malicious activity
Analysis date: August 08, 2020, 17:45:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

CD96CBB121B3C3E2F983F1078C7C3022

SHA1:

DBA897FD07E069F53CA2C87231DB6A9B64A5E096

SHA256:

24C0225840A63D9F51C9918863EB3BCA31F389A733E29CC455F6AF75AA328076

SSDEEP:

3:N8BhLJ3uwMR0SMXjTNrpp4yLxmUEsWZ5:2J+wQ0SQNrppq5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NanoCore.exe (PID: 1680)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2924)
  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2468)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2468)
      • iexplore.exe (PID: 2804)
    • Application launched itself

      • iexplore.exe (PID: 2804)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2804)
    • Changes internet zones settings

      • iexplore.exe (PID: 2804)
    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2924)
    • Manual execution by user

      • NanoCore.exe (PID: 1680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe no specs iexplore.exe winrar.exe nanocore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2804"C:\Program Files\Internet Explorer\iexplore.exe" "https://sites.google.com/site/downloadarkivo22/NanoCore%20RAT%201.0.3.0%20Cracked.rar?attredirects=0&d=1"C:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2468"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2804 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2924"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\NanoCore RAT 1.0.3.0 Cracked.rar"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1680"C:\Users\admin\Desktop\NanoCore 1.0.3.0\NanoCore.exe" C:\Users\admin\Desktop\NanoCore 1.0.3.0\NanoCore.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.3.0
Total events
1 396
Read events
1 313
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
21
Text files
298
Unknown types
12

Dropped files

PID
Process
Filename
Type
2468iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabC6F.tmp
MD5:
SHA256:
2468iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarC70.tmp
MD5:
SHA256:
2804iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF2AD6FD9D90E9AB3.TMP
MD5:
SHA256:
2804iexplore.exeC:\Users\admin\Downloads\NanoCore RAT 1.0.3.0 Cracked.rar.mq2o99d.partial:Zone.Identifier
MD5:
SHA256:
2468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_F8819B87A0A725EAC12590D5D3764660binary
MD5:16C6A6ED7EB384D4BCD7B40E3B66099B
SHA256:B9DC6BFE82B41867C6DBEB1BCBEFB2F26D56A716BA32CD86FB793A0568594DE2
2468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_66063E1D41DB33DA9172ED5118AD6EE3binary
MD5:07BD117B338E9538C80DD24C3716E3D7
SHA256:1C083A9341E3278623E366EEF3321CD4F5389C91D7A0E6985E1BA04EB85C35BF
2468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:1C400D233070530C717A810D7F9BC99E
SHA256:58B407B0DDF17FBF78FCB2E2DAD4FABAADA9BD88641F19941480951A200AE4E0
2468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_66063E1D41DB33DA9172ED5118AD6EE3der
MD5:51F698349BCE3EEBB7F6740B4ECE577D
SHA256:D63DFBF293DD3C550092DE037C23DFBCE599581A03FF2AA19D8546981A10AA35
2468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:FB8EC12428FCB2CCC0F6CF1DE8C66BCE
SHA256:18900256B405ABC7AA6ECA7D243870DE50C1693856AABC36FF75431CEC9EA5FB
2468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\NanoCore%20RAT%201.0.3.0%20Cracked[1].htmcompressed
MD5:15B57601C00C7D29EE2E38909858A6FB
SHA256:7A4376E062D4390D0E8F4554CD1CFCB7D3AF0B3C87EC47D07DCAC4E2A389BC5E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
14
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2468
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQC2x5JiNmH3KQIAAAAAc8zD
US
der
472 b
whitelisted
1048
svchost.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D
US
der
492 b
whitelisted
2468
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2468
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2468
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEAKhmcGKkEWcAgAAAABzzGw%3D
US
der
471 b
whitelisted
2468
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEAKhmcGKkEWcAgAAAABzzGw%3D
US
der
471 b
whitelisted
1680
NanoCore.exe
GET
200
95.211.219.67:80
http://survey-smiles.com/
NL
html
473 b
whitelisted
2468
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQC2x5JiNmH3KQIAAAAAc8zD
US
der
472 b
whitelisted
1680
NanoCore.exe
GET
200
95.211.219.67:80
http://survey-smiles.com/
NL
html
473 b
whitelisted
1680
NanoCore.exe
POST
302
46.166.182.109:80
http://elitevs.net/nanocore/pollResults.php
NL
text
11 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2468
iexplore.exe
74.125.140.137:443
b737cf43-a-62cb3a1a-s-sites.googlegroups.com
Google Inc.
US
shared
1048
svchost.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2468
iexplore.exe
172.217.16.174:443
sites.google.com
Google Inc.
US
whitelisted
2468
iexplore.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
95.211.219.67:80
survey-smiles.com
LeaseWeb Netherlands B.V.
NL
malicious
1680
NanoCore.exe
46.166.182.109:80
elitevs.net
NForce Entertainment B.V.
NL
suspicious
1680
NanoCore.exe
95.211.219.67:80
survey-smiles.com
LeaseWeb Netherlands B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
sites.google.com
  • 172.217.16.174
whitelisted
ocsp.pki.goog
  • 172.217.16.131
whitelisted
b737cf43-a-62cb3a1a-s-sites.googlegroups.com
  • 74.125.140.137
shared
elitevs.net
  • 46.166.182.109
malicious
survey-smiles.com
  • 95.211.219.67
whitelisted

Threats

No threats detected
Process
Message
NanoCore.exe
Trying to load native SQLite library "C:\Users\admin\Desktop\NanoCore 1.0.3.0\x86\SQLite.Interop.dll"...