File name: | Netflix Account Checker 5.0.rar |
Full analysis: | https://app.any.run/tasks/d98015e4-10a1-4ffa-91b1-b94740f9865c |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | December 18, 2018, 20:44:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 3FE35F92135A5E0D88A8037291DDE0DA |
SHA1: | F5D29001B472FB50CAA31212813C3CA8DEF48B0D |
SHA256: | 78A2BB7504392255C36812C4D4A0E8ADECA83BAAA02FDBB2A1ADCB7F7EFFEDAB |
SSDEEP: | 24576:Ak2N8LW6o5Z+ixZm4/XqsaN/8zhv/nHklQFZnAOupbJfk2Volk0nHZxJ9:YPLZ+14ism/8RfHklWZb6lfNoi0nzJ9 |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2880 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Netflix Account Checker 5.0.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1224 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3808 | "C:\Users\admin\Desktop\Netflix Account Checker 5.0.exe" | C:\Users\admin\Desktop\Netflix Account Checker 5.0.exe | explorer.exe | |
User: admin Company: CPUID Hardware Monitor Integrity Level: MEDIUM Description: HWMonitor.exe Exit code: 0 Version: 1.3.4.0 | ||||
3676 | "C:\Users\admin\AppData\Local\Temp\AdobeFlash.exe" | C:\Users\admin\AppData\Local\Temp\AdobeFlash.exe | Netflix Account Checker 5.0.exe | |
User: admin Company: CPUID Hardware Monitor Integrity Level: MEDIUM Description: HWMonitor.exe Exit code: 0 Version: 1.3.4.0 | ||||
3080 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | AdobeFlash.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.6.1055.0 built by: NETFXREL2 |
(PID) Process: | (2880) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2880) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2880) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2880) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Netflix Account Checker 5.0.rar | |||
(PID) Process: | (2880) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2880) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2880) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2880) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3808) Netflix Account Checker 5.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Run\CurrentVersion |
Operation: | write | Name: | AdobeFlash.exe |
Value: C:\Users\admin\AppData\Local\Temp\AdobeFlash.exe | |||
(PID) Process: | (3808) Netflix Account Checker 5.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2880 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2880.42935\Netflix Account Checker 5.0.exe | executable | |
MD5:EE6EF45B3DC73B7952B94FDB4DF043C2 | SHA256:F219C99BAE7D406EE40D9528179A93A2EED7C2C942CCDA12916177159DE6CE92 | |||
3080 | Regasm.exe | C:\Users\admin\AppData\Roaming\Logs\12-18-2018 | binary | |
MD5:257BA28520E1B81CAFDD6867C05F661D | SHA256:D17E788B663277D84CFD202C6433BB02D1026FCE4470F0D1EF4A7F9500AA8D61 | |||
3808 | Netflix Account Checker 5.0.exe | C:\Users\admin\AppData\Local\Temp\AdobeFlash.exe | executable | |
MD5:EE6EF45B3DC73B7952B94FDB4DF043C2 | SHA256:F219C99BAE7D406EE40D9528179A93A2EED7C2C942CCDA12916177159DE6CE92 | |||
2880 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2880.42935\Newtonsoft.Json.dll | executable | |
MD5:C53737821B861D454D5248034C3C097C | SHA256:575E30F98E4EA42C9E516EDC8BBB29AD8B50B173A3E6B36B5BA39E133CCE9406 | |||
2880 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2880.42935\MahApps.Metro.dll | executable | |
MD5:FB1E8EEE84791CC015E043AB0CE32BBA | SHA256:0DE72DA4BC2D16D39C30368AF880D754FA0BD9745897652BA50213E589D265C5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3080 | Regasm.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json/ | DE | text | 347 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3080 | Regasm.exe | 193.56.28.161:4782 | repmodz11.duckdns.org | — | — | malicious |
3080 | Regasm.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
repmodz11.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3080 | Regasm.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3080 | Regasm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar 1.3 RAT IP Lookup ip-api.com (HTTP headeer) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3080 | Regasm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar RAT |
3080 | Regasm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Injector.DPAH (KOVTER) |
3080 | Regasm.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
Process | Message |
---|---|
Netflix Account Checker 5.0.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
Netflix Account Checker 5.0.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
Netflix Account Checker 5.0.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
Netflix Account Checker 5.0.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
Netflix Account Checker 5.0.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
Netflix Account Checker 5.0.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
Netflix Account Checker 5.0.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
Netflix Account Checker 5.0.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
AdobeFlash.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
AdobeFlash.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|