analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NanoCore 1.2.2.0_Cracked By Alcatraz3223.rar

Full analysis: https://app.any.run/tasks/b96e1300-8d71-490b-9e94-a791319dce8a
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: July 12, 2020, 16:15:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

6C9A8AA7152F4E9389BB06965F36CC1A

SHA1:

E2CEC42394D6116BD594A4E914CC74B8F9B2E5DB

SHA256:

40E8540C8A72AB19A9B1696FB6B72B0680D0BD9DAF2AB53CD1C049855D4EAA07

SSDEEP:

98304:owCXrrbodpPWEtoftDDjWYcLRfRASQiwMmO93R/BqYhwGyer0UTl4pRR:FOHmRWqacL3lQa9hZ3hw04Eat

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • NanoCore.exe (PID: 3012)
      • fgfgtyf.exe (PID: 2768)

    • Application was dropped or rewritten from another process

      • NanoCore.exe (PID: 3012)
      • fgfgtyf.exe (PID: 2768)
      • fgfgtyf.exe (PID: 3856)

    • Starts Visual C# compiler

      • sdiagnhost.exe (PID: 2760)

    • NANOCORE was detected

      • fgfgtyf.exe (PID: 2768)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1840)
      • NanoCore.exe (PID: 3012)
      • msdt.exe (PID: 1464)

    • Creates files in the user directory

      • NanoCore.exe (PID: 3012)
      • fgfgtyf.exe (PID: 2768)

    • Application launched itself

      • taskmgr.exe (PID: 1640)

    • Executed via COM

      • sdiagnhost.exe (PID: 2760)

    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 2760)

  • INFO

    • Manual execution by user

      • NanoCore.exe (PID: 3012)
      • taskmgr.exe (PID: 1640)
      • q.exe (PID: 692)
      • opera.exe (PID: 332)
      • msdt.exe (PID: 1464)
      • fgfgtyf.exe (PID: 2768)
      • fgfgtyf.exe (PID: 3856)

    • Creates files in the user directory

      • opera.exe (PID: 332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 3135
UncompressedSize: 22746
OperatingSystem: Win32
ModifyDate: 2016:06:05 21:53:28
PackingMethod: Normal
ArchivedFileName: NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\builder.log
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
15
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe nanocore.exe taskmgr.exe no specs taskmgr.exe q.exe no specs opera.exe msdt.exe sdiagnhost.exe no specs csc.exe cvtres.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs #NANOCORE fgfgtyf.exe fgfgtyf.exe

Process information

PID
CMD
Path
Indicators
Parent process
1840"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3223.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3012"C:\Users\admin\Desktop\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe" C:\Users\admin\Desktop\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
NanoCore
Version:
1.2.2.0
1640"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1780"C:\Windows\system32\taskmgr.exe" /1C:\Windows\system32\taskmgr.exe
taskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
692"C:\Program Files\q\q.exe" C:\Program Files\q\q.exeexplorer.exe
User:
admin
Company:
http://www.qemu-project.org
Integrity Level:
MEDIUM
Description:
QEMU machine emulators and tools
Exit code:
1
Version:
2.10.65
332"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
1464"C:\Windows\System32\msdt.exe" -skip TRUE -path C:\Windows\diagnostics\system\networking -ep NetworkDiagnosticsPNIC:\Windows\System32\msdt.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2760C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2220"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\lj-0dh25.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
sdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
2720C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA193.tmp" "c:\Users\admin\AppData\Local\Temp\CSCA192.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Total events
1 549
Read events
1 325
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
60
Text files
350
Unknown types
21

Dropped files

PID
Process
Filename
Type
1840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\ClientPlugin.xmlxml
MD5:5D0381A56563B1CA8928E3CF087F1625
SHA256:0497B92461C2A9CE3101D9397FB3079F60979164336A16653D282273D3085BCC
1840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\client.binexecutable
MD5:906A949E34472F99BA683EFF21907231
SHA256:9D3EA5AF7DC261BF93C76F55D702A315AA22FB241E4207DC86CD834C262245C8
1840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Exceptions\Client\1.2.2.0\c42214a80aee43e514d5aba60af06da2.logtext
MD5:C42214A80AEE43E514D5ABA60AF06DA2
SHA256:F93190510C1434EF43C6C389544C5172BF47C4CE1DE57C762616929428563B86
1840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Databases\geolocation.sqlitesqlite
MD5:0E8D861CDDEDE3A0B2B02CFC0B060B99
SHA256:11BD851D8994D3CA9D078144679AA2DC06841ADDD0947B8FA8AD36758BDECF7A
1840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\MultiCore.ncpbinary
MD5:BECB82E1E914E906BE158E3F9DD658AC
SHA256:5494ADF651FC64E3AA6C08E38165D8DBFEC52056CDF4FADAE90B76B0E6816A33
1840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\CorePlugin.ncpbinary
MD5:7914E7302F72D330AA5F6C5C8C26DF43
SHA256:F66985518B1E56A04F512D110F5B79F21ED91CBCBF6BD3E17EBA3DCDFB85F9B5
1840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exeexecutable
MD5:1728ACC244115CBAFD3B810277D2E321
SHA256:EC359F50CA15395F273899C0FF7C0CD87AB5C2E23FDCFC6C72FEDC0097161D4B
1840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\NanoBrowser.ncpbinary
MD5:8B13FDC96AF0A84C152F5A601DCC6B06
SHA256:997C41B05150480BCFAE9ABB3132FC807F6C6B511B810B554FDB5AEDF89F5DB0
1840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\PluginCompiler.exeexecutable
MD5:E2D1C5DF11F9573F6C5D0A7AD1A79FBF
SHA256:0B41B2FCD0F1A4E913D3EFE293F713849D59EFEBB27BAC060AB31BED51AC2F6B
1840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1840.40100\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\ManagementPlugin.ncpbinary
MD5:B612C2C9A6D361A5DB14C04BA126119C
SHA256:B86FE4E126A9748A383A34D615B9598C715F2380C0AAD957495C66923902026C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
10
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3012
NanoCore.exe
GET
200
104.197.246.62:80
http://lazyshare.net/PluginStats/Functions/getPluginName.php?PluginID=FAD00979338
US
unknown
3012
NanoCore.exe
POST
200
104.197.246.62:80
http://lazyshare.net/PluginStats/Functions/newLog.php
US
unknown
3012
NanoCore.exe
POST
200
104.197.246.62:80
http://lazyshare.net/PluginStats/Functions/checkInstall.php
US
unknown
332
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
564 b
whitelisted
3012
NanoCore.exe
GET
200
95.211.117.215:80
http://survey-smiles.com/
NL
html
473 b
whitelisted
3012
NanoCore.exe
GET
302
95.211.117.215:80
http://survey-smiles.com/
NL
text
11 b
whitelisted
3012
NanoCore.exe
POST
302
212.32.237.91:80
http://nimoru.com/nano/submitFeedback.php
NL
text
11 b
malicious
832
svchost.exe
GET
200
2.21.38.54:80
http://www.microsoft.com/
FR
html
1020 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
332
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
3012
NanoCore.exe
104.197.246.62:80
lazyshare.net
Google Inc.
US
unknown
332
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3012
NanoCore.exe
212.32.237.91:80
nimoru.com
LeaseWeb Netherlands B.V.
NL
malicious
832
svchost.exe
2.21.38.54:80
www.microsoft.com
GTT Communications Inc.
FR
malicious
3012
NanoCore.exe
95.211.117.215:80
survey-smiles.com
LeaseWeb Netherlands B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
lazyshare.net
  • 104.197.246.62
unknown
nimoru.com
  • 212.32.237.91
malicious
survey-smiles.com
  • 95.211.117.215
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
www.microsoft.com
  • 2.21.38.54
whitelisted
nnnmn
unknown

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
NanoCore.exe
Trying to load native SQLite library "C:\Users\admin\Desktop\NanoCore 1.2.2.0_Cracked By Alcatraz3223\NanoCore 1.2.2.0_Cracked By Alcatraz3222\x86\SQLite.Interop.dll"...
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NanoCore 1.2.2.0_Cracked By Alcatraz3223.rar