File name: | swift copy.rar |
Full analysis: | https://app.any.run/tasks/797ecece-133c-4ca4-b2c7-12e7383f8224 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | February 19, 2019, 08:39:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 567F3D4BB560D380F28B476FE629633F |
SHA1: | 4E5009DD38667DAA506C2EE37A94294BB68E51E9 |
SHA256: | 805A67583C9F6B2ED6B6AD95F32EA904074715CA4A2C4C224D427721B0B08A36 |
SSDEEP: | 12288:sQmTX0oDsfg+AWydYXAzYI2n5W/IorfdMDJP6Ehd5b:sQmI47nzOAxp3wJFV |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2872 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\swift copy.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2556 | "C:\Users\admin\Desktop\swift copy.exe" | C:\Users\admin\Desktop\swift copy.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3684 | "C:\Users\admin\Desktop\swift copy.exe" | C:\Users\admin\Desktop\swift copy.exe | swift copy.exe | |
User: admin Integrity Level: MEDIUM | ||||
3768 | "C:\Users\admin\Desktop\swift copy.exe" 2 3684 1749406 | C:\Users\admin\Desktop\swift copy.exe | — | swift copy.exe |
User: admin Integrity Level: MEDIUM |
(PID) Process: | (2872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2872) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\swift copy.rar | |||
(PID) Process: | (2872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3684) swift copy.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | TCP Monitor |
Value: C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
3684 | swift copy.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:51AF19C8E877E677098494BB73986F67 | SHA256:14663DA19B63EEA8197D6650BB6169F5C4739C31A1FF3F463C3289C0CD648FA6 | |||
2872 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2872.12312\swift copy.exe | executable | |
MD5:839A4EC283989B753263CD82BBA71CDC | SHA256:EB764E4668B97B353EE9807BF071ED4282F1A65B45A383D6644E4621A85566E3 | |||
3684 | swift copy.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe | executable | |
MD5:839A4EC283989B753263CD82BBA71CDC | SHA256:EB764E4668B97B353EE9807BF071ED4282F1A65B45A383D6644E4621A85566E3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3684 | swift copy.exe | 146.255.88.197:1985 | — | Telesmart Telekom Doo | MK | unknown |