File name: | MALWARE SAMPLE.zip |
Full analysis: | https://app.any.run/tasks/222a6168-a71b-486d-89f7-73851386936b |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | April 25, 2019, 14:19:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | AF4E28A19A07D9715F387169D69255A3 |
SHA1: | 9B8308977627A20B71655163D0AA433B355EF964 |
SHA256: | 2D4B38AF216E175A6F149DDDAAAF7508A6F94269BECC25F9774BEA7738F5073B |
SSDEEP: | 6144:1OMXeLiLltf5EWNKHnJeJqEIK7svo2mv7UV4b3rFR1ujgoat6WZMLu:1l7LlEWWJDEIdvo2YiKIjjmZ2u |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:04:25 14:17:07 |
ZipCRC: | 0xe5f31b93 |
ZipCompressedSize: | 317273 |
ZipUncompressedSize: | 339968 |
ZipFileName: | d005a7e953b39f2420ee787489517cdd6ffb87f573d97dfb46ee65398050786c.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3864 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MALWARE SAMPLE.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2112 | "C:\Users\admin\Desktop\fak.exe" | C:\Users\admin\Desktop\fak.exe | — | explorer.exe |
User: admin Company: Wizolla Integrity Level: MEDIUM Description: Timothy Exit code: 0 Version: 37.378.378.29 | ||||
3284 | "C:\Users\admin\Desktop\fak.exe" | C:\Users\admin\Desktop\fak.exe | — | explorer.exe |
User: admin Company: Wizolla Integrity Level: MEDIUM Description: Timothy Exit code: 0 Version: 37.378.378.29 | ||||
2212 | "C:\Users\admin\Desktop\fak.exe" | C:\Users\admin\Desktop\fak.exe | fak.exe | |
User: admin Company: Wizolla Integrity Level: MEDIUM Description: Timothy Version: 37.378.378.29 | ||||
3520 | "C:\Users\admin\Desktop\fak.exe" | C:\Users\admin\Desktop\fak.exe | — | fak.exe |
User: admin Company: Wizolla Integrity Level: MEDIUM Description: Timothy Exit code: 0 Version: 37.378.378.29 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3864 | WinRAR.exe | C:\Users\admin\Desktop\d005a7e953b39f2420ee787489517cdd6ffb87f573d97dfb46ee65398050786c.bin | executable | |
MD5:F620B40DA501C5213A6E2BA70C3E9681 | SHA256:D005A7E953B39F2420EE787489517CDD6FFB87F573D97DFB46EE65398050786C | |||
2212 | fak.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:2E478D7B08C77227898B114BD83A36C9 | SHA256:23292A0A46C4E79F3471751FF11884F2B64D825F484D427D219AAF72210D52D0 | |||
2212 | fak.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe | executable | |
MD5:F620B40DA501C5213A6E2BA70C3E9681 | SHA256:D005A7E953B39F2420EE787489517CDD6FFB87F573D97DFB46EE65398050786C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2212 | fak.exe | 194.68.59.60:555 | — | Inleed AB | SE | malicious |