File name: | NanoCore 1.2.2.0_Cracked By Alcatraz3223.rar |
Full analysis: | https://app.any.run/tasks/b96e1300-8d71-490b-9e94-a791319dce8a |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | July 12, 2020, 16:15:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 6C9A8AA7152F4E9389BB06965F36CC1A |
SHA1: | E2CEC42394D6116BD594A4E914CC74B8F9B2E5DB |
SHA256: | 40E8540C8A72AB19A9B1696FB6B72B0680D0BD9DAF2AB53CD1C049855D4EAA07 |
SSDEEP: | 98304:owCXrrbodpPWEtoftDDjWYcLRfRASQiwMmO93R/BqYhwGyer0UTl4pRR:FOHmRWqacL3lQa9hZ3hw04Eat |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
CompressedSize: | 3135 |
---|---|
UncompressedSize: | 22746 |
OperatingSystem: | Win32 |
ModifyDate: | 2016:06:05 21:53:28 |
PackingMethod: | Normal |
ArchivedFileName: | NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\builder.log |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1840 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3223.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3012 | "C:\Users\admin\Desktop\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe" | C:\Users\admin\Desktop\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: NanoCore Version: 1.2.2.0 | ||||
1640 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1780 | "C:\Windows\system32\taskmgr.exe" /1 | C:\Windows\system32\taskmgr.exe | taskmgr.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
692 | "C:\Program Files\q\q.exe" | C:\Program Files\q\q.exe | — | explorer.exe |
User: admin Company: http://www.qemu-project.org Integrity Level: MEDIUM Description: QEMU machine emulators and tools Exit code: 1 Version: 2.10.65 | ||||
332 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 | ||||
1464 | "C:\Windows\System32\msdt.exe" -skip TRUE -path C:\Windows\diagnostics\system\networking -ep NetworkDiagnosticsPNI | C:\Windows\System32\msdt.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Exit code: 4294967295 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2760 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2220 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\lj-0dh25.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | sdiagnhost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
2720 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA193.tmp" "c:\Users\admin\AppData\Local\Temp\CSCA192.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\ClientPlugin.xml | xml | |
MD5:5D0381A56563B1CA8928E3CF087F1625 | SHA256:0497B92461C2A9CE3101D9397FB3079F60979164336A16653D282273D3085BCC | |||
1840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\client.bin | executable | |
MD5:906A949E34472F99BA683EFF21907231 | SHA256:9D3EA5AF7DC261BF93C76F55D702A315AA22FB241E4207DC86CD834C262245C8 | |||
1840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Exceptions\Client\1.2.2.0\c42214a80aee43e514d5aba60af06da2.log | text | |
MD5:C42214A80AEE43E514D5ABA60AF06DA2 | SHA256:F93190510C1434EF43C6C389544C5172BF47C4CE1DE57C762616929428563B86 | |||
1840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Databases\geolocation.sqlite | sqlite | |
MD5:0E8D861CDDEDE3A0B2B02CFC0B060B99 | SHA256:11BD851D8994D3CA9D078144679AA2DC06841ADDD0947B8FA8AD36758BDECF7A | |||
1840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\MultiCore.ncp | binary | |
MD5:BECB82E1E914E906BE158E3F9DD658AC | SHA256:5494ADF651FC64E3AA6C08E38165D8DBFEC52056CDF4FADAE90B76B0E6816A33 | |||
1840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\CorePlugin.ncp | binary | |
MD5:7914E7302F72D330AA5F6C5C8C26DF43 | SHA256:F66985518B1E56A04F512D110F5B79F21ED91CBCBF6BD3E17EBA3DCDFB85F9B5 | |||
1840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe | executable | |
MD5:1728ACC244115CBAFD3B810277D2E321 | SHA256:EC359F50CA15395F273899C0FF7C0CD87AB5C2E23FDCFC6C72FEDC0097161D4B | |||
1840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\NanoBrowser.ncp | binary | |
MD5:8B13FDC96AF0A84C152F5A601DCC6B06 | SHA256:997C41B05150480BCFAE9ABB3132FC807F6C6B511B810B554FDB5AEDF89F5DB0 | |||
1840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\PluginCompiler.exe | executable | |
MD5:E2D1C5DF11F9573F6C5D0A7AD1A79FBF | SHA256:0B41B2FCD0F1A4E913D3EFE293F713849D59EFEBB27BAC060AB31BED51AC2F6B | |||
1840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\ManagementPlugin.ncp | binary | |
MD5:B612C2C9A6D361A5DB14C04BA126119C | SHA256:B86FE4E126A9748A383A34D615B9598C715F2380C0AAD957495C66923902026C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3012 | NanoCore.exe | GET | 200 | 104.197.246.62:80 | http://lazyshare.net/PluginStats/Functions/getPluginName.php?PluginID=FAD00979338 | US | — | — | unknown |
3012 | NanoCore.exe | POST | 200 | 104.197.246.62:80 | http://lazyshare.net/PluginStats/Functions/newLog.php | US | — | — | unknown |
3012 | NanoCore.exe | POST | 200 | 104.197.246.62:80 | http://lazyshare.net/PluginStats/Functions/checkInstall.php | US | — | — | unknown |
332 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 564 b | whitelisted |
3012 | NanoCore.exe | GET | 200 | 95.211.117.215:80 | http://survey-smiles.com/ | NL | html | 473 b | whitelisted |
3012 | NanoCore.exe | GET | 302 | 95.211.117.215:80 | http://survey-smiles.com/ | NL | text | 11 b | whitelisted |
3012 | NanoCore.exe | POST | 302 | 212.32.237.91:80 | http://nimoru.com/nano/submitFeedback.php | NL | text | 11 b | malicious |
832 | svchost.exe | GET | 200 | 2.21.38.54:80 | http://www.microsoft.com/ | FR | html | 1020 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
332 | opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
3012 | NanoCore.exe | 104.197.246.62:80 | lazyshare.net | Google Inc. | US | unknown |
332 | opera.exe | 93.184.220.29:80 | crl4.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3012 | NanoCore.exe | 212.32.237.91:80 | nimoru.com | LeaseWeb Netherlands B.V. | NL | malicious |
832 | svchost.exe | 2.21.38.54:80 | www.microsoft.com | GTT Communications Inc. | FR | malicious |
3012 | NanoCore.exe | 95.211.117.215:80 | survey-smiles.com | LeaseWeb Netherlands B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
lazyshare.net |
| unknown |
nimoru.com |
| malicious |
survey-smiles.com |
| whitelisted |
dns.msftncsi.com |
| shared |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
nnnmn |
| unknown |
Process | Message |
---|---|
NanoCore.exe | Trying to load native SQLite library "C:\Users\admin\Desktop\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\x86\SQLite.Interop.dll"...
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|