File name:

pest.exe

Full analysis: https://app.any.run/tasks/d62426b3-d711-4f64-81a0-76f3f3534a77
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: December 18, 2024, 23:50:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
nanocore
rat
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

3A25B8B57FEE2DBE05B915A4BA5A5F23

SHA1:

D563FC3B01275E873B938A5F08E15809A8EA44B7

SHA256:

586ED5D88E9C4B4C7D64FDC87C134F464CEE29A2C75CD7021195E057DBCFAF1C

SSDEEP:

3072:6pjFiF4UMYXw+zcgi+oG/j9iaMP2s/Hfg9LNeiAFoVd6zOoHfT/vUOYB77UDoW:6NFfUMuzkIM5fIZNd6zOCL/vUDPGX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • pest.exe (PID: 4992)
      • pest.exe (PID: 3524)

    • NANOCORE has been detected (YARA)

      • pest.exe (PID: 3524)

    • NANOCORE has been detected (SURICATA)

      • pest.exe (PID: 3524)

    • Connects to the CnC server

      • pest.exe (PID: 3524)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • pest.exe (PID: 4992)
      • pest.exe (PID: 3524)

    • Reads security settings of Internet Explorer

      • pest.exe (PID: 4992)

    • Executable content was dropped or overwritten

      • pest.exe (PID: 4992)
      • pest.exe (PID: 3524)

    • Application launched itself

      • pest.exe (PID: 4992)

    • Connects to unusual port

      • pest.exe (PID: 3524)

    • Contacting a server suspected of hosting an CnC

      • pest.exe (PID: 3524)

  • INFO

    • The process uses the downloaded file

      • pest.exe (PID: 4992)
      • pest.exe (PID: 3524)

    • Creates files or folders in the user directory

      • pest.exe (PID: 4992)
      • pest.exe (PID: 3524)

    • Checks supported languages

      • pest.exe (PID: 4992)
      • pest.exe (PID: 3524)

    • Process checks whether UAC notifications are on

      • pest.exe (PID: 4992)
      • pest.exe (PID: 3524)

    • Process checks computer location settings

      • pest.exe (PID: 4992)

    • Reads the computer name

      • pest.exe (PID: 4992)
      • pest.exe (PID: 3524)

    • Reads the machine GUID from the registry

      • pest.exe (PID: 4992)
      • pest.exe (PID: 3524)

    • Creates files in the program directory

      • pest.exe (PID: 3524)

    • Reads Environment values

      • pest.exe (PID: 3524)

    • Reads product name

      • pest.exe (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:02:22 00:49:37+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 116736
InitializedDataSize: 90112
UninitializedDataSize: -
EntryPoint: 0x1e792
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pest.exe #NANOCORE pest.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3524"C:\Users\admin\Desktop\pest.exe" C:\Users\admin\Desktop\pest.exe
pest.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1073807364
Modules
Images
c:\users\admin\desktop\pest.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4992"C:\Users\admin\Desktop\pest.exe" C:\Users\admin\Desktop\pest.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\pest.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
916
Read events
913
Write events
2
Delete events
1

Modification events

(PID) Process:(4992) pest.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:LAN Host
Value:
C:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\LAN Host\lanhost.exe
(PID) Process:(3524) pest.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:LAN Host
Value:
C:\Program Files (x86)\LAN Host\lanhost.exe
(PID) Process:(3524) pest.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:LAN Host
Value:
C:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\LAN Host\lanhost.exe
Executable files
2
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4992pest.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\run.datbinary
MD5:D3396EE1FD66758516C41ADE0BF70647
SHA256:B9C94F5A0F04904E7E8826728121E826124A9CBAF406E6E078F0D492EA52F0BE
3524pest.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\storage.datbinary
MD5:653DDDCB6C89F6EC51F3DDC0053C5914
SHA256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
4992pest.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\LAN Host\lanhost.exeexecutable
MD5:3A25B8B57FEE2DBE05B915A4BA5A5F23
SHA256:586ED5D88E9C4B4C7D64FDC87C134F464CEE29A2C75CD7021195E057DBCFAF1C
3524pest.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\catalog.datbinary
MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
3524pest.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\settings.binbinary
MD5:3FCC766D28BFD974C68B38C27D0D7A9A
SHA256:39A25F1AB5099005A74CF04F3C61C3253CD9BDA73B85228B58B45AAA4E838641
3524pest.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\settings.bakbinary
MD5:3FCC766D28BFD974C68B38C27D0D7A9A
SHA256:39A25F1AB5099005A74CF04F3C61C3253CD9BDA73B85228B58B45AAA4E838641
3524pest.exeC:\Program Files (x86)\LAN Host\lanhost.exeexecutable
MD5:3A25B8B57FEE2DBE05B915A4BA5A5F23
SHA256:586ED5D88E9C4B4C7D64FDC87C134F464CEE29A2C75CD7021195E057DBCFAF1C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
18
DNS requests
17
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2736
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2736
svchost.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
2736
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2736
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2736
svchost.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
parts-sleeps.gl.at.ply.gg
  • 147.185.221.22
unknown
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted

Threats

PID
Process
Class
Message
3524
pest.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
3524
pest.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
3524
pest.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
3524
pest.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
3524
pest.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
3524
pest.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
3524
pest.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
3524
pest.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
3524
pest.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
3524
pest.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pest.exe