analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://anonfile.com/ychcW8z1nc/nitrogen_exe

Full analysis: https://app.any.run/tasks/f05da5a2-21d6-41bc-99f2-83333ac2d186
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: July 18, 2019, 12:57:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MD5:

371D7E74E74C7D556A9F56591244D924

SHA1:

6FF7432038DD2426DBCA52DC7B73FE911F4F0689

SHA256:

BD9788706FF0D88B2F381BB5619DCAEAAF293B64F4D7E55307AB04BFE8612536

SSDEEP:

3:N8RGLNydfurdA:2gLNI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • nitrogen.exe (PID: 3496)
    • Application was dropped or rewritten from another process

      • nitrogen[1].exe (PID: 3000)
      • nitro_gen.exe (PID: 4052)
      • nitro_gen.exe (PID: 3788)
      • nitrogen.exe (PID: 3496)
    • NanoCore was detected

      • nitrogen.exe (PID: 3496)
    • Loads dropped or rewritten executable

      • nitro_gen.exe (PID: 3788)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2848)
      • iexplore.exe (PID: 3128)
      • nitrogen.exe (PID: 3496)
      • nitro_gen.exe (PID: 4052)
      • nitrogen[1].exe (PID: 3000)
    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 4032)
    • Application launched itself

      • nitro_gen.exe (PID: 4052)
    • Starts CMD.EXE for commands execution

      • nitro_gen.exe (PID: 3788)
    • Creates files in the user directory

      • nitrogen.exe (PID: 3496)
    • Loads Python modules

      • nitro_gen.exe (PID: 3788)
  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3128)
    • Application launched itself

      • iexplore.exe (PID: 2848)
    • Changes internet zones settings

      • iexplore.exe (PID: 2848)
    • Creates files in the user directory

      • iexplore.exe (PID: 3128)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 4032)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3128)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2848)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2848)
    • Dropped object may contain Bitcoin addresses

      • nitro_gen.exe (PID: 4052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs nitrogen[1].exe #NANOCORE nitrogen.exe nitro_gen.exe nitro_gen.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2848"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3128"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2848 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4032C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
3000"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\nitrogen[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\nitrogen[1].exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3496"C:\Users\admin\AppData\Local\Temp\nitrogen.exe" C:\Users\admin\AppData\Local\Temp\nitrogen.exe
nitrogen[1].exe
User:
admin
Integrity Level:
MEDIUM
4052"C:\Users\admin\AppData\Local\Temp\nitro_gen.exe" C:\Users\admin\AppData\Local\Temp\nitro_gen.exe
nitrogen[1].exe
User:
admin
Integrity Level:
MEDIUM
3788"C:\Users\admin\AppData\Local\Temp\nitro_gen.exe" C:\Users\admin\AppData\Local\Temp\nitro_gen.exenitro_gen.exe
User:
admin
Integrity Level:
MEDIUM
2544C:\Windows\system32\cmd.exe /c title Nitro Gen by lonanll#9108 discord: https://discord.gg/4TbQxcDC:\Windows\system32\cmd.exenitro_gen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 346
Read events
1 164
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
7
Text files
951
Unknown types
12

Dropped files

PID
Process
Filename
Type
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1G7YV6LK\nitrogen_exe[1].txt
MD5:
SHA256:
2848iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
2848iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1G7YV6LK\nitrogen_exe[1].htmhtml
MD5:76563307619B94FC6984DC2D909D6937
SHA256:3AA3A19EB17B2ADFE711425293D00118E5B95EBB1716C533B5675AE6A161F80D
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J4BJQ342\shermore_info[1]text
MD5:26DC3B03FD4BD0995560FFA6CDD45159
SHA256:C719587BEB4698DEA3649C050573174C82934A601CD03CA343CCA610A7E6E02D
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J4BJQ342\app[1].jstext
MD5:54CFC945293FF769616451BABDCE038C
SHA256:232555C7291EC261A98090DF629D525090376774A511B438074A700D65D92537
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5EIM8H5V\anonfile[1].csstext
MD5:FC056343EE59A457D68F2B59CB82F0C5
SHA256:2C8C7E689A476BB3A2AA7403A2436BD1C7495484C2714B58CA7C14AF4F845EAF
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:3307C77C11D42B50CDC9AACFD576106F
SHA256:8FC5C53A51F034EEAF17B76B8F8A9011E86884336D021AC24DAF7ACDA0608EF2
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:39D16E8BED88AD0C59EB59FC5263F52F
SHA256:D6E8A22F20E835EC262875FCED638C54D5CEEFCBE5EEDEF9C474F1B757E58715
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1G7YV6LK\d3ud741uvs727m_cloudfront_net[1]text
MD5:26C223E297EECCB49C6D24C166481130
SHA256:BCE43D9D8D83167EAC9452112462F5DA287AF2AE6B8E6C1C1CAAB0B2825AFCEF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
38
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3128
iexplore.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.3 Kb
whitelisted
3128
iexplore.exe
GET
200
52.85.182.226:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2848
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3128
iexplore.exe
151.101.2.217:443
vjs.zencdn.net
Fastly
US
suspicious
3128
iexplore.exe
52.85.182.212:443
d3ud741uvs727m.cloudfront.net
Amazon.com, Inc.
US
whitelisted
3128
iexplore.exe
172.217.18.104:443
www.googletagmanager.com
Google Inc.
US
suspicious
3128
iexplore.exe
194.32.146.60:443
anonfile.com
unknown
3128
iexplore.exe
23.111.8.154:443
oss.maxcdn.com
netDNA
US
unknown
3128
iexplore.exe
104.18.38.148:443
shermore.info
Cloudflare Inc
US
shared
3128
iexplore.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3128
iexplore.exe
18.209.42.202:443
deryjobmeetin.info
US
unknown
3128
iexplore.exe
172.217.18.174:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
anonfile.com
  • 194.32.146.60
  • 194.32.146.61
whitelisted
vjs.zencdn.net
  • 151.101.2.217
  • 151.101.66.217
  • 151.101.130.217
  • 151.101.194.217
whitelisted
oss.maxcdn.com
  • 23.111.8.154
whitelisted
www.googletagmanager.com
  • 172.217.18.104
whitelisted
d3ud741uvs727m.cloudfront.net
  • 52.85.182.212
  • 52.85.182.232
  • 52.85.182.252
  • 52.85.182.32
whitelisted
shermore.info
  • 104.18.38.148
  • 104.18.39.148
whitelisted
www.google-analytics.com
  • 172.217.18.174
whitelisted
deryjobmeetin.info
  • 18.209.42.202
  • 54.209.40.52
  • 34.205.240.71
  • 52.21.76.141
  • 52.200.52.74
  • 18.211.27.151
suspicious
x.ss2.us
  • 52.85.182.226
  • 52.85.182.182
  • 52.85.182.46
  • 52.85.182.231
whitelisted

Threats

No threats detected
No debug info