analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

#515695.rar

Full analysis: https://app.any.run/tasks/12d44ee0-1386-44b3-9bda-7449109e1367
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: July 17, 2019, 07:59:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
nanocore
rat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D178F9D70B870EA240ABA0C2357EDF64

SHA1:

B03FD1E600CA36A32A8136984C0BADD24D0C1029

SHA256:

6961A96DDD8C2D54C65257A68A226E80EFEC8E283CA1A75A75F72A01A0B2BF7D

SSDEEP:

12288:q/VG97ZWkwEloubApVd9TPCWhMuTwK5MRHfOuhVsR8UQcxl:TTzRApxCGXWxGEVE8UdL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • menu.exe (PID: 2884)
    • NanoCore was detected

      • menu.exe (PID: 2884)
    • Application was dropped or rewritten from another process

      • menu.exe (PID: 2884)
      • menu.exe (PID: 2064)
      • menu.exe (PID: 3572)
    • Connects to CnC server

      • menu.exe (PID: 2884)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • menu.exe (PID: 3572)
      • WinRAR.exe (PID: 3504)
      • menu.exe (PID: 2884)
    • Creates files in the user directory

      • menu.exe (PID: 3572)
      • menu.exe (PID: 2884)
      • menu.exe (PID: 2064)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 3504)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start winrar.exe menu.exe #NANOCORE menu.exe notepad.exe no specs menu.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3504"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\#515695.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3572"C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.40448\#515695\menu.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.40448\#515695\menu.exe
WinRAR.exe
User:
admin
Company:
fierce
Integrity Level:
MEDIUM
Description:
departmentkey
Exit code:
0
Version:
15.5.24.34
2884"C:\Users\admin\AppData\Roaming\menu.exe" C:\Users\admin\AppData\Roaming\menu.exe
menu.exe
User:
admin
Integrity Level:
MEDIUM
3144"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Roaming\Secret.txtC:\Windows\system32\NOTEPAD.EXEmenu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2064"C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.42629\#515695\menu.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.42629\#515695\menu.exeWinRAR.exe
User:
admin
Company:
fierce
Integrity Level:
MEDIUM
Description:
departmentkey
Exit code:
0
Version:
15.5.24.34
2496"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Roaming\Secret.txtC:\Windows\system32\NOTEPAD.EXEmenu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 231
Read events
1 197
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
3
Text files
10
Unknown types
1

Dropped files

PID
Process
Filename
Type
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.40448\README.txttext
MD5:E4ACEDC6ED7C3D50FFECEEA6FB6A3ADD
SHA256:A8E203F4E69FAE1D664BDB2103FDF4BDF29D0316BCFA4E74544DF4BE6AD685BF
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.40448\#515695\main.luatext
MD5:3057858CA97B23E5E69BB8C473BCDE67
SHA256:57099ECE90DD345172471BA8CBB7961BD0EE1ADC283CD81E9B5D8267FA34B8B6
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.42629\#515695\background.pngimage
MD5:8616C2D9F2ACBD2B0C33084DB9A10751
SHA256:C09173312A32B4A8E23A52BB5047E3F0373DBDCCFD1272E80D5981F6E78F2BB7
2884menu.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.datbinary
MD5:81EE9230C58793CB40347D3E3A289B5F
SHA256:76A958054104717B94299BE5B73018937DDEA57010A716F66C5363D16291F032
3572menu.exeC:\Users\admin\AppData\Roaming\menu.exeexecutable
MD5:43CA82071DBB0C70911786EC409D8100
SHA256:57A13824096F8E21D2BC2ED36455773EC93B507727AD57C233B8D94FC4811D35
3572menu.exeC:\Users\admin\AppData\Roaming\Secret.txttext
MD5:7341A671846AC5274C654B93D5E59DD7
SHA256:925D715937B07D81DE8126E3728630630B31A83C6467708BD5AC88B1D9E14D0D
2884menu.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:43CA82071DBB0C70911786EC409D8100
SHA256:57A13824096F8E21D2BC2ED36455773EC93B507727AD57C233B8D94FC4811D35
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.40448\#515695\background.pngimage
MD5:8616C2D9F2ACBD2B0C33084DB9A10751
SHA256:C09173312A32B4A8E23A52BB5047E3F0373DBDCCFD1272E80D5981F6E78F2BB7
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.42629\#515695\main.luatext
MD5:3057858CA97B23E5E69BB8C473BCDE67
SHA256:57099ECE90DD345172471BA8CBB7961BD0EE1ADC283CD81E9B5D8267FA34B8B6
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.40448\#515695\menu.exeexecutable
MD5:A523CC88EDB42D2C398D0F514FC252FA
SHA256:8B23154CDED763F8319D42D1728974855FC4FAADF34653405C70096AE13F4F86
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2884
menu.exe
3.19.3.150:10754
0.tcp.ngrok.io
US
malicious
2884
menu.exe
8.8.8.8:53
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
0.tcp.ngrok.io
  • 3.19.3.150
shared

Threats

PID
Process
Class
Message
2884
menu.exe
Potential Corporate Privacy Violation
ET POLICY DNS Query to a *.ngrok domain (ngrok.io)
2884
menu.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
2884
menu.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2884
menu.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2884
menu.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2884
menu.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2884
menu.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2884
menu.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2884
menu.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2884
menu.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
10 ETPRO signatures available at the full report
No debug info