analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

LCL-BANKDETAILS0293843098543985784994854939843.js

Full analysis: https://app.any.run/tasks/07983e93-cc7b-497a-b958-98b1392f5270
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: February 18, 2019, 16:22:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
trojan
nanocore
rat
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

6AF936FDAFE6E682014AFE09DFF6BFEF

SHA1:

E8C99B48CC8C2A36D84A3013247290D371B032B5

SHA256:

3AAAD88240A42198620E44F8978F274E015E0E0BE5602E9A6C3BE5496C5A8712

SSDEEP:

24576:CTztznj5oS7gptAB76mGnxOD//7LchC5Phvoh0sJT3WaVDnRgEbpgKfZSoS+180N:CZj5oEaCoW8bdxZEGj2a0Obf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AESzikzZNFuuweoGHd.scr (PID: 3904)
      • srl.exe (PID: 3952)
      • srl.exe (PID: 1168)
    • Changes the autorun value in the registry

      • srl.exe (PID: 1168)
      • RegSvcs.exe (PID: 4048)
    • NanoCore was detected

      • RegSvcs.exe (PID: 4048)
    • Connects to CnC server

      • RegSvcs.exe (PID: 4048)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3068)
      • AESzikzZNFuuweoGHd.scr (PID: 3904)
    • Drop AutoIt3 executable file

      • AESzikzZNFuuweoGHd.scr (PID: 3904)
    • Starts application with an unusual extension

      • WScript.exe (PID: 3068)
    • Application launched itself

      • srl.exe (PID: 3952)
    • Creates files in the user directory

      • RegSvcs.exe (PID: 4048)
    • Connects to unusual port

      • RegSvcs.exe (PID: 4048)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • srl.exe (PID: 3952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start wscript.exe aeszikzznfuuweoghd.scr srl.exe no specs srl.exe #NANOCORE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3068"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\LCL-BANKDETAILS0293843098543985784994854939843.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3904"C:\Users\admin\AppData\Local\Temp\AESzikzZNFuuweoGHd.scr" /SC:\Users\admin\AppData\Local\Temp\AESzikzZNFuuweoGHd.scr
WScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3952"C:\Users\admin\AppData\Local\Temp\61672022\srl.exe" goa=dxu C:\Users\admin\AppData\Local\Temp\61672022\srl.exeAESzikzZNFuuweoGHd.scr
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
1168C:\Users\admin\AppData\Local\Temp\61672022\srl.exe C:\Users\admin\AppData\Local\Temp\61672022\AXJRJC:\Users\admin\AppData\Local\Temp\61672022\srl.exe
srl.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
4048"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
srl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.6.1055.0 built by: NETFXREL2
Total events
772
Read events
761
Write events
11
Delete events
0

Modification events

(PID) Process:(3068) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3068) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3904) AESzikzZNFuuweoGHd.scrKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3904) AESzikzZNFuuweoGHd.scrKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1168) srl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WindowsUpdate
Value:
C:\Users\admin\AppData\Local\Temp\61672022\srl.exe C:\Users\admin\AppData\Local\Temp\61672022\GOA_DX~1
(PID) Process:(4048) RegSvcs.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:TCP Monitor
Value:
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
Executable files
2
Suspicious files
0
Text files
50
Unknown types
0

Dropped files

PID
Process
Filename
Type
3904AESzikzZNFuuweoGHd.scrC:\Users\admin\AppData\Local\Temp\61672022\lbs.jpgtext
MD5:1D8E0981357724A2CB257538082B0E0A
SHA256:F564457642A113C41A788BEF5D764DDDC9C50B03AF35734D6643472BF3593EF5
3904AESzikzZNFuuweoGHd.scrC:\Users\admin\AppData\Local\Temp\61672022\qxl.txttext
MD5:BD999E79B099C877109BEFEFCA237DFB
SHA256:8A936708180B50268677BCF0491C22213C904FE10815549D993DDB677F09F09B
3904AESzikzZNFuuweoGHd.scrC:\Users\admin\AppData\Local\Temp\61672022\goa=dxutext
MD5:36739DA2F2BD12729F89DC46788A37F5
SHA256:38A1B7979D2DE78BDC3CAA0D022AD0CE1DC0A4F0B226723009441E5F90B84AD0
3904AESzikzZNFuuweoGHd.scrC:\Users\admin\AppData\Local\Temp\61672022\wnr.ppttext
MD5:DEEF567737B9DDAB037A4B6CE0FCCE62
SHA256:6445F4F5EAA372DDBDC9131459F17F61F6961960ADD7A633D31855DF1681EA47
3904AESzikzZNFuuweoGHd.scrC:\Users\admin\AppData\Local\Temp\61672022\ifm.mp4text
MD5:7AC3893598237803215A7CA66AACA5CC
SHA256:6728700FA14D83C3AEFA140A42CC5FEE218B8D2363E3D1EBDF84C7F78CB594D4
3904AESzikzZNFuuweoGHd.scrC:\Users\admin\AppData\Local\Temp\61672022\odw.icotext
MD5:7A7AC68F497A0912836A58ED34CEAB1F
SHA256:7246F3E27E71677642651E035D2FD07C1C0390EBC8D83442CE45684E85AF6151
3904AESzikzZNFuuweoGHd.scrC:\Users\admin\AppData\Local\Temp\61672022\mxd.txttext
MD5:CEF5DD25B0EB969A262E97664B1CC9A7
SHA256:6F4A5356AD4B54A2F378C45BF1816BB49209BB6916844A8455520C51D5DF8FF4
3904AESzikzZNFuuweoGHd.scrC:\Users\admin\AppData\Local\Temp\61672022\bon.bmptext
MD5:978A6D6DC775A004A64AC8C61A1872DD
SHA256:E7300091A47D0F80F301B701441CE154DDECC9ECC82D4FD79AE8BFBA19C3EC93
3068WScript.exeC:\Users\admin\AppData\Local\Temp\AESzikzZNFuuweoGHd.screxecutable
MD5:9DF4A21A47615283A4EC07825A7B5AF3
SHA256:9D9AB7D8F813A3DA7C7216CF0A67CA3B158888ECCC0A588A52B3E002339772D3
3904AESzikzZNFuuweoGHd.scrC:\Users\admin\AppData\Local\Temp\61672022\neo.pdftext
MD5:C58491DB3EA4637C6C9C09042F950DC4
SHA256:D08552F23A6AC464D7F70CAD513A4A356CF665B00ED77497DEEE81CBF211C61D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4048
RegSvcs.exe
185.247.228.73:33733
mrstan.duckdns.org
malicious
4048
RegSvcs.exe
8.8.8.8:53
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
mrstan.duckdns.org
  • 185.247.228.73
malicious

Threats

PID
Process
Class
Message
4048
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
4048
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
4048
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4048
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4048
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4048
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4048
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4048
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4048
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4048
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
57 ETPRO signatures available at the full report
No debug info