analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Apollyon.rar

Full analysis: https://app.any.run/tasks/6129ed21-07ca-4cd3-b67f-165f83d216f3
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: March 21, 2019, 19:27:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

2166D81E422B13EF2B6E92DAC4BAF8DF

SHA1:

1C018EBDBA443C655AC6E45A09CF6AB0181575CF

SHA256:

39639856B2D77C37AF11E934ED6D527B67E175207DE0ECAD2C619D2D4BE335AC

SSDEEP:

49152:tJ28ImsvZ6+Vs+hV/etT/OCUDvKonQz1NlYdJIrDYg:2800+VsyctaQz1NlYdJIrDl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • Apollyon.exe (PID: 2060)
    • Application was dropped or rewritten from another process

      • Apollyon.exe (PID: 2060)
      • 1.xyz (PID: 2212)
      • 1.xyz (PID: 2708)
    • Writes to a start menu file

      • cmd.exe (PID: 3312)
    • NanoCore was detected

      • 1.xyz (PID: 2212)
    • Starts NET.EXE for service management

      • cmd.exe (PID: 1764)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Apollyon.exe (PID: 2060)
      • WinRAR.exe (PID: 716)
      • 1.xyz (PID: 2708)
    • Starts application with an unusual extension

      • Apollyon.exe (PID: 2060)
      • 1.xyz (PID: 2708)
    • Starts CMD.EXE for commands execution

      • 1.xyz (PID: 2708)
    • Creates files in the user directory

      • cmd.exe (PID: 3312)
      • 1.xyz (PID: 2212)
    • Application launched itself

      • 1.xyz (PID: 2708)
    • Connects to unusual port

      • 1.xyz (PID: 2212)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 86606
UncompressedSize: 213504
OperatingSystem: Win32
ModifyDate: 2019:03:06 00:03:13
PackingMethod: Normal
ArchivedFileName: Apollyon\Apollyon-Module.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winrar.exe apollyon.exe 1.xyz cmd.exe cmd.exe no specs #NANOCORE 1.xyz net.exe no specs net1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
716"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Apollyon.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2060"C:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Apollyon.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Apollyon.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
2708C:\Users\admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\admin\AppData\Local\Temp\IXP000.TMP\1.xyz
Apollyon.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3312C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\1.xyz",1: >"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"C:\Windows\system32\cmd.exe
1.xyz
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1764/c net stop MpsSvcC:\Windows\system32\cmd.exe1.xyz
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2212C:\Users\admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\admin\AppData\Local\Temp\IXP000.TMP\1.xyz
1.xyz
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework CAS Policy Manager
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
2956net stop MpsSvcC:\Windows\system32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2108C:\Windows\system32\net1 stop MpsSvcC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
472
Read events
459
Write events
13
Delete events
0

Modification events

(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(716) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Apollyon.rar
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
6
Suspicious files
3
Text files
74
Unknown types
0

Dropped files

PID
Process
Filename
Type
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Apollyon-Module.dllexecutable
MD5:A69246C38867EEA79DCC3C6E91B0962F
SHA256:531A34752FFF603CC66E0DDFE60E1957B2AD4E602A17A87B6664318507C28168
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Apollyon.exeexecutable
MD5:BA1C489341B0DDE1B79FE81FA8050322
SHA256:789C7F11EF727E6B0CD3659AE9FA46C3249392C42115D5163AB7E028FDF100AA
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Monaco\vs\basic-languages\bat\bat.jstext
MD5:4CB475399C4490EEA41982DCD6D9653E
SHA256:9BCA42394FE8922FEC24B768EEB8CE04692DE6FAD82F9052D5B7E70F5C6B0F40
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Monaco\globalv.txttext
MD5:5CF9F238D4E62C8BCDE351651C3A2A45
SHA256:EEB98F2C9911AE8DDD25F1B3BE3732000F16788BDA60AA962E9F8452012B1062
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Monaco\base.txttext
MD5:0D834904A252E1AB786F9637BEF6819F
SHA256:DBE440C5DEE6367EBCA919886FFE593246E1E52618E4713373000C9FC77C87CC
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Monaco\vs\basic-languages\csharp\csharp.jstext
MD5:F8F841D13C9220E15DCD6BC386B37BA2
SHA256:6B3BE9A86EE8E3202F51745D94D24CC1EEFBCF7D9E6D94FBAF70146B084E835F
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Monaco\classfunc.txttext
MD5:BF32E93D11011EB780619B3E17FB824A
SHA256:519DA000DE235C331F10660509FAB51A1815ACE566B8AE5B511B75813922DCB1
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Monaco\Monaco.htmlhtml
MD5:999896134BD43CEFA865F37E514BA62F
SHA256:1ECDD9529EF5487F92736894D94FF680F6C32EE821615D29C0FC814F3A310B4A
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Monaco\globalf.txttext
MD5:1700DF0210CDA593D3DF64F51B3CAAEA
SHA256:DEAE98F86C62749E4B642ACB41EA5DFCE0CAF09BC77036AAE82EE814A04ED9E0
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa716.49533\Apollyon\Monaco\vs\basic-languages\handlebars\handlebars.jstext
MD5:3CA7CF83292B56444548F2914C0E1811
SHA256:31D25588D120E7C79F3332FF3B3C794CEBD0554C7578E3BB37B3CAC366E4F6C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2212
1.xyz
82.78.166.120:1604
humanityhost123.ddns.net
RCS & RDS
RO
unknown
2212
1.xyz
8.8.8.8:53
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
humanityhost123.ddns.net
  • 82.78.166.120
malicious

Threats

No threats detected
No debug info