analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PAYMENT_.EXE

Full analysis: https://app.any.run/tasks/17154134-ffeb-4630-94b3-5273fdee15bd
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 08:20:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

43BBF60EF295BBBC75A3A45BEB66E3F9

SHA1:

E464D93ADC72A72D69B5C57F877A3D3F65689566

SHA256:

409F1A68AF913C1BB9860A3085035EE08EACAD4B3A79B92EF62850D7DC18B6A0

SSDEEP:

12288:ynuxnoUVovJVSYaAbNjgqoSy2qxrC0Y5cg4hSUwiS8MvK0:KuXwSYaWgRte5ySUJSrS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • PAYMENT_.EXE (PID: 2740)

    • NANOCORE was detected

      • RegAsm.exe (PID: 1528)

    • Connects to CnC server

      • RegAsm.exe (PID: 1528)

  • SUSPICIOUS

    • Starts CHOICE.EXE (used to create a delay)

      • cmd.exe (PID: 3304)
      • cmd.exe (PID: 2132)

    • Starts CMD.EXE for commands execution

      • PAYMENT_.EXE (PID: 2740)
      • PAYMENT_.EXE (PID: 3152)

    • Creates files in the user directory

      • PAYMENT_.EXE (PID: 2740)
      • RegAsm.exe (PID: 1528)

    • Executable content was dropped or overwritten

      • PAYMENT_.EXE (PID: 2740)

    • Application launched itself

      • PAYMENT_.EXE (PID: 2740)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:08:23 15:40:34+02:00
PEType: PE32
LinkerVersion: 8
CodeSize: 1068544
InitializedDataSize: 211968
UninitializedDataSize: -
EntryPoint: 0x106d6e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: HTML
FileVersion: 0.0.0.0
InternalName: HTML.exe
LegalCopyright: HTML
OriginalFileName: HTML.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start payment_.exe #NANOCORE regasm.exe cmd.exe no specs choice.exe no specs payment_.exe no specs regasm.exe no specs cmd.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2740"C:\Users\admin\AppData\Local\Temp\PAYMENT_.EXE" C:\Users\admin\AppData\Local\Temp\PAYMENT_.EXE
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
HTML
Version:
0.0.0.0
1528"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PAYMENT_.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.7.3062.0 built by: NET472REL1
3304"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\AppData\Local\Temp\PAYMENT_.EXE"C:\Windows\System32\cmd.exePAYMENT_.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1552choice /C Y /N /D Y /T 3 C:\Windows\system32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3152"C:\Users\admin\AppData\Local\Temp\PAYMENT_.EXE" C:\Users\admin\AppData\Local\Temp\PAYMENT_.EXEPAYMENT_.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
HTML
Version:
0.0.0.0
3872"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exePAYMENT_.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
2132"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\AppData\Local\Temp\PAYMENT_.EXE"C:\Windows\System32\cmd.exePAYMENT_.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3820choice /C Y /N /D Y /T 3 C:\Windows\system32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
499
Read events
491
Write events
8
Delete events
0

Modification events

(PID) Process:(2740) PAYMENT_.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2740) PAYMENT_.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3152) PAYMENT_.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3152) PAYMENT_.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
1
Suspicious files
4
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
1528RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bak
MD5:
SHA256:
2740PAYMENT_.EXEC:\Users\admin\AppData\Roaming\filename.exeexecutable
MD5:43BBF60EF295BBBC75A3A45BEB66E3F9
SHA256:409F1A68AF913C1BB9860A3085035EE08EACAD4B3A79B92EF62850D7DC18B6A0
1528RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.datbinary
MD5:E62ED68D5B2C1A311F03871DB4F75788
SHA256:F0D68CDE2B4046D44F7952379080555701813CC6E1815B22829347169731E655
1528RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.binbinary
MD5:ACD3FB4310417DC77FE06F15B0E353E6
SHA256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
1528RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.datbs
MD5:32D0AAE13696FF7F8AF33B2D22451028
SHA256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
1528RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.datbinary
MD5:7E8F4A764B981D5B82D1CC49D341E9C6
SHA256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1528
RegAsm.exe
8.8.8.8:53
Google Inc.
US
whitelisted
1528
RegAsm.exe
194.5.98.33:3206
blowmm.duckdns.org
FR
malicious

DNS requests

Domain
IP
Reputation
blowmm.duckdns.org
  • 194.5.98.33
malicious

Threats

PID
Process
Class
Message
1528
RegAsm.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1528
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1528
RegAsm.exe
A Network Trojan was detected
REMOTE [PTsecurity] NanoCore.RAT
1528
RegAsm.exe
A Network Trojan was detected
REMOTE [PTsecurity] NanoCore.RAT
1528
RegAsm.exe
A Network Trojan was detected
REMOTE [PTsecurity] NanoCore.RAT
1528
RegAsm.exe
A Network Trojan was detected
REMOTE [PTsecurity] NanoCore.RAT
1528
RegAsm.exe
A Network Trojan was detected
REMOTE [PTsecurity] NanoCore.RAT
1528
RegAsm.exe
A Network Trojan was detected
REMOTE [PTsecurity] NanoCore.RAT
1528
RegAsm.exe
A Network Trojan was detected
REMOTE [PTsecurity] NanoCore.RAT
9 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PAYMENT_.EXE