analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.dosya.tc/server23/pvrur2/PREM_HACK.rar.html

Full analysis: https://app.any.run/tasks/751a618e-55d5-4eb7-8ec9-1e7d224bbc55
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 15:47:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MD5:

7F1CF034D8CBC3DBD20F4B3AF78B7D23

SHA1:

D55952CD425E0C13451BE39EE78829D07F763F75

SHA256:

3063E14CBA71DE8DF84A6398011EFEBEEB25F45E910D87EC6761A90FBE3C5BBE

SSDEEP:

3:N8DSLmLXDXQO96t2LXEsn:2OLmLTX5Y4LXEsn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • PREM HACK.exe (PID: 2068)
      • PREM HACK.exe (PID: 3744)

    • Application was dropped or rewritten from another process

      • PREM HACK.exe (PID: 2068)
      • PREM HACK.exe (PID: 3744)

    • NANOCORE was detected

      • MSBUILD.EXE (PID: 3512)

  • SUSPICIOUS

    • Creates files in the program directory

      • firefox.exe (PID: 4064)
      • firefox.exe (PID: 2200)

    • Creates files in the user directory

      • PREM HACK.exe (PID: 2068)
      • MSBUILD.EXE (PID: 3512)
      • PREM HACK.exe (PID: 3744)

    • Executable content was dropped or overwritten

      • PREM HACK.exe (PID: 2068)
      • PREM HACK.exe (PID: 3744)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 1728)
      • chrome.exe (PID: 2128)

    • Manual execution by user

      • firefox.exe (PID: 3088)
      • firefox.exe (PID: 928)
      • NOTEPAD.EXE (PID: 3524)
      • PREM HACK.exe (PID: 2068)
      • PREM HACK.exe (PID: 3744)

    • Application launched itself

      • firefox.exe (PID: 3088)
      • chrome.exe (PID: 2128)
      • firefox.exe (PID: 4064)
      • firefox.exe (PID: 2200)

    • Reads CPU info

      • firefox.exe (PID: 4064)
      • firefox.exe (PID: 2200)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 4064)
      • firefox.exe (PID: 2200)

    • Reads settings of System Certificates

      • pingsender.exe (PID: 2644)

    • Creates files in the user directory

      • firefox.exe (PID: 2200)
      • firefox.exe (PID: 4064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
34
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe winrar.exe no specs pingsender.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe winrar.exe no specs notepad.exe no specs prem hack.exe #NANOCORE msbuild.exe prem hack.exe msbuild.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2128"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.dosya.tc/server23/pvrur2/PREM_HACK.rar.html"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
3932"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d90a9d0,0x6d90a9e0,0x6d90a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2168"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2504 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
436"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=988,4397163105529868614,16724191430711435851,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=2857414089188896368 --mojo-platform-channel-handle=1004 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1728"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=988,4397163105529868614,16724191430711435851,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=13702488729525326116 --mojo-platform-channel-handle=1644 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
516"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,4397163105529868614,16724191430711435851,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11649801437488576333 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2604"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,4397163105529868614,16724191430711435851,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13311373647254818696 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3044"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,4397163105529868614,16724191430711435851,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3251252889439175808 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2404 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3092"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,4397163105529868614,16724191430711435851,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1658151838753705689 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2924"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,4397163105529868614,16724191430711435851,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10751625007702131937 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
3 852
Read events
3 708
Write events
140
Delete events
4

Modification events

(PID) Process:(2128) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2128) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2128) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2128) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2128) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2128) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:2128-13217701642649000
Value:
259
(PID) Process:(2128) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2128) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:1512-13197841398593750
Value:
0
(PID) Process:(2128) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:2128-13217701642649000
Value:
259
Executable files
2
Suspicious files
232
Text files
157
Unknown types
140

Dropped files

PID
Process
Filename
Type
2128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\dd70afdb-046d-48b8-9e90-a91f73d5d788.tmp
MD5:
SHA256:
2128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
2128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:3D551B6E929CF62F7AA66091E718704B
SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404
2128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
2128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
2128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
2128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF39aac1.TMPtext
MD5:3D551B6E929CF62F7AA66091E718704B
SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404
2128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:213AE3DA120D7862D60B5763B6C9D466
SHA256:5736534D6EE654C1BF1A8E79E73330AF58F622E8657285330D2C7189A55604F4
2128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF39aa15.TMPtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
2128chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF39aa15.TMPtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
147
DNS requests
207
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1728
chrome.exe
GET
103.2.116.76:80
http://r1---sn-f5p5-hxae.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=85.203.20.11&mm=28&mn=sn-f5p5-hxae&ms=nvh&mt=1573227988&mv=m&mvi=0&pl=24&shardbypass=yes
AU
whitelisted
4064
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
4064
firefox.exe
POST
200
151.139.128.14:80
http://ocsp.comodoca.com/
US
der
472 b
whitelisted
1728
chrome.exe
GET
302
172.217.18.174:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
510 b
whitelisted
4064
firefox.exe
POST
200
216.58.206.3:80
http://ocsp.pki.goog/gts1o1
US
der
472 b
whitelisted
4064
firefox.exe
POST
200
72.247.178.16:80
http://ocsp.int-x3.letsencrypt.org/
NL
der
527 b
whitelisted
2200
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
4064
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
4064
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
4064
firefox.exe
POST
200
216.58.206.3:80
http://ocsp.pki.goog/gts1o1
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1728
chrome.exe
172.217.18.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1728
chrome.exe
172.217.21.238:443
www.google-analytics.com
Google Inc.
US
whitelisted
1728
chrome.exe
136.243.28.94:443
www.dosya.tc
Hetzner Online GmbH
DE
suspicious
1728
chrome.exe
188.42.162.208:443
pushlommy.com
Webzilla B.V.
NL
unknown
1728
chrome.exe
172.217.18.170:443
translate.googleapis.com
Google Inc.
US
whitelisted
1728
chrome.exe
216.58.207.66:443
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
1728
chrome.exe
216.58.208.45:443
accounts.google.com
Google Inc.
US
whitelisted
1728
chrome.exe
172.217.16.162:443
adservice.google.it
Google Inc.
US
whitelisted
1728
chrome.exe
172.217.22.66:443
adservice.google.com
Google Inc.
US
whitelisted
1728
chrome.exe
216.58.207.34:443
adservice.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.18.3
whitelisted
www.dosya.tc
  • 136.243.28.94
whitelisted
accounts.google.com
  • 216.58.208.45
shared
pushlommy.com
  • 188.42.162.208
  • 188.42.162.207
suspicious
pagead2.googlesyndication.com
  • 216.58.207.66
  • 172.217.23.130
  • 216.58.205.226
whitelisted
www.google-analytics.com
  • 172.217.21.238
whitelisted
translate.googleapis.com
  • 172.217.18.170
whitelisted
adservice.google.it
  • 172.217.16.162
  • 172.217.18.162
  • 172.217.16.194
whitelisted
adservice.google.com
  • 216.58.207.34
  • 172.217.22.66
whitelisted
stats.g.doubleclick.net
  • 64.233.167.156
  • 64.233.167.154
  • 64.233.167.155
  • 64.233.167.157
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
3512
MSBUILD.EXE
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3512
MSBUILD.EXE
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3512
MSBUILD.EXE
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3512
MSBUILD.EXE
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3512
MSBUILD.EXE
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3512
MSBUILD.EXE
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3512
MSBUILD.EXE
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.dosya.tc/server23/pvrur2/PREM_HACK.rar.html