File name: | 6.zip |
Full analysis: | https://app.any.run/tasks/b0ccd103-9737-434b-90f5-af34a69c97b3 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | January 18, 2019, 08:47:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2F048704A120CAB340B657E6D00B87FC |
SHA1: | 9F43C1EB613777529AF55068C556C57D916C422F |
SHA256: | C5BCB0C9D611A0849599413629E90F8F68C991C8E7F93F7B912873234B111306 |
SSDEEP: | 98304:EGI5IIwb7bFc1COZ7CSKor+AhTPBeuKGIAI:Ep5/wbC0OrNrBgpd |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0808 |
ZipCompression: | None |
ZipModifyDate: | 2019:01:18 03:27:11 |
ZipCRC: | 0x393c6741 |
ZipCompressedSize: | 3241984 |
ZipUncompressedSize: | 3241984 |
ZipFileName: | Steam Account Checker/HazardEdit.Tools.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3036 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2400 | "C:\Users\admin\Desktop\Steam Account Checker\Steam Account Checker - FLM.exe" | C:\Users\admin\Desktop\Steam Account Checker\Steam Account Checker - FLM.exe | explorer.exe | |
User: admin Company: Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
3660 | schtasks /create /f /sc minute /mo 1 /tn "'Steam Account Checker - FLM'" /tr "'C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe'" | C:\Windows\system32\schtasks.exe | — | Steam Account Checker - FLM.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3064 | "C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe" | C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe | — | Steam Account Checker - FLM.exe |
User: admin Company: Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
2760 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | Host Process for Windows Tasks.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.6.1055.0 built by: NETFXREL2 | ||||
416 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
1088 | "C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe" | C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe | — | taskeng.exe |
User: admin Company: Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
3340 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | — | Host Process for Windows Tasks.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 | ||||
4008 | "C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe" | C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe | — | taskeng.exe |
User: admin Company: Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
1724 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | — | Host Process for Windows Tasks.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 |
(PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\6.zip | |||
(PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (416) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (416) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\notepad.exe,-469 |
Value: Text Document |
PID | Process | Filename | Type | |
---|---|---|---|---|
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\ElasticEmail.WebApiClient.dll | executable | |
MD5:E36F206E384B7EE506FC8A3AA7AC0BB9 | SHA256:D63E591117BB5B241CB30DE9D7AA4EF606E9A1128A8F6D58BD3F58FFB36242CF | |||
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\HazardEdit.Tools.dll | executable | |
MD5:C42AFB10D2659AD23CDE33539CEEF88C | SHA256:EB9337F0ECD9F85F521FE9060A4FF306804138F5C31FE329B45C4BD7E2D6342C | |||
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\Cyotek.Windows.Forms.ColorPicker.dll | executable | |
MD5:07A187F8941315DF7D1327532C8CE506 | SHA256:83679BABD6D4640756B63F4E65668E82608BBC07F7669A469E524A279C2D5853 | |||
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\Steam Account Checker - FLM.exe | executable | |
MD5:5AF0571C2D1AB1BD9C516DF4A4630746 | SHA256:3F3CC0FF6A4092BE67F5F0EA378976C128A7846B64EC25D3F5CAAC2C75B8142D | |||
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\Results\Results From January 12, 2019 @ 07.08\Bad Checked By TCM's Skin Checker.txt | text | |
MD5:B01D30E18A75E5802F9F8210B48B032D | SHA256:8EAC4624E3BBF060A602DAB36D83DCC1817DD75D9E7029C08DAD94D4CEFC58B4 | |||
2400 | Steam Account Checker - FLM.exe | C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe | executable | |
MD5:5AF0571C2D1AB1BD9C516DF4A4630746 | SHA256:3F3CC0FF6A4092BE67F5F0EA378976C128A7846B64EC25D3F5CAAC2C75B8142D | |||
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\GeoIP.dat | binary | |
MD5:1F897B5825CF91799831862620911AFF | SHA256:5F85518CF71E7B53544E0BD0C1874D1F89A0D6DE7A6AD50683517575AAA56301 | |||
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\MailKit.dll | executable | |
MD5:BE99F9896236C6106887959541D22F05 | SHA256:786E2126D22AFABCB42D57CF07760690C18C21007C93ABAED0CB4C7FE2044EB6 | |||
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\Bunifu_UI_v1.5.3.dll | executable | |
MD5:2ECB51AB00C5F340380ECF849291DBCF | SHA256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF | |||
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\NotificationSound\beep.wav | wav | |
MD5:248DDC4190B35F7DAE7F2C851F7F0E2C | SHA256:8A57FAA5E59D2DD499F103E8188217FFB13331E153DC2A726B5247001336C0D5 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2760 | Regasm.exe | 82.10.185.160:1085 | piglion.ddns.net | Virgin Media Limited | GB | suspicious |
2760 | Regasm.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
piglion.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Generic dynamic DNS detection |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Generic dynamic DNS detection |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Generic dynamic DNS detection |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Generic dynamic DNS detection |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Generic dynamic DNS detection |
Process | Message |
---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|