analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SITDSHBKZ 180-001.rar

Full analysis: https://app.any.run/tasks/2a47a3cd-14f6-4c27-9f76-1556457ab404
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: July 17, 2019, 16:27:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

F3F7F69664641C685EC93166A9E2FB1F

SHA1:

90CB64ECEFF98C0E58AA5DC92112F64E0B15E34E

SHA256:

D51FD76F15053750BCC77C3ECCD96DB79BBFBC53D259CDF21FF6BEA1C717E3BE

SSDEEP:

12288:EuyD7Rs/A7PHtP3r4wLl7ewJ69/XtZ4UOG5rWm:E9DRxLl7ew29Z4spWm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SITDSHBKZ 180-001.exe (PID: 3168)
      • SITDSHBKZ 180-001.exe (PID: 2100)
      • SITDSHBKZ 180-001.exe (PID: 3204)
      • SITDSHBKZ 180-001.exe (PID: 2644)
    • Changes the autorun value in the registry

      • SITDSHBKZ 180-001.exe (PID: 2644)
    • NanoCore was detected

      • SITDSHBKZ 180-001.exe (PID: 2644)
  • SUSPICIOUS

    • Application launched itself

      • SITDSHBKZ 180-001.exe (PID: 2100)
      • SITDSHBKZ 180-001.exe (PID: 3168)
    • Executable content was dropped or overwritten

      • SITDSHBKZ 180-001.exe (PID: 2644)
      • WinRAR.exe (PID: 2896)
    • Creates files in the user directory

      • SITDSHBKZ 180-001.exe (PID: 2644)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: SITDSHBKZ 180-001.exe
PackingMethod: Normal
ModifyDate: 2019:07:17 13:17:02
OperatingSystem: Win32
UncompressedSize: 1100288
CompressedSize: 540872
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe sitdshbkz 180-001.exe no specs sitdshbkz 180-001.exe no specs #NANOCORE sitdshbkz 180-001.exe sitdshbkz 180-001.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SITDSHBKZ 180-001.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3168"C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.41735\SITDSHBKZ 180-001.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.41735\SITDSHBKZ 180-001.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2100"C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.7785\SITDSHBKZ 180-001.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.7785\SITDSHBKZ 180-001.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2644"C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.41735\SITDSHBKZ 180-001.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.41735\SITDSHBKZ 180-001.exe
SITDSHBKZ 180-001.exe
User:
admin
Integrity Level:
MEDIUM
3204"C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.7785\SITDSHBKZ 180-001.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.7785\SITDSHBKZ 180-001.exeSITDSHBKZ 180-001.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
463
Read events
450
Write events
13
Delete events
0

Modification events

(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2896) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SITDSHBKZ 180-001.rar
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
3
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2644SITDSHBKZ 180-001.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:3BE994057E0DEC9816B5D3FC074ED9D4
SHA256:442E3E45CAFCFC3057C748FFE4F8CCCB2E8A8AFD6FDECBF81AEC59601286545E
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2896.41735\SITDSHBKZ 180-001.exeexecutable
MD5:60DC69538986565CB1E4303BAC1E4428
SHA256:F87F264E23C1A6EE8BF4E2570B3F8F4F6E2D788371BA220388735973520E1CD1
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2896.7785\SITDSHBKZ 180-001.exeexecutable
MD5:60DC69538986565CB1E4303BAC1E4428
SHA256:F87F264E23C1A6EE8BF4E2570B3F8F4F6E2D788371BA220388735973520E1CD1
2644SITDSHBKZ 180-001.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:60DC69538986565CB1E4303BAC1E4428
SHA256:F87F264E23C1A6EE8BF4E2570B3F8F4F6E2D788371BA220388735973520E1CD1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
25
DNS requests
17
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2644
SITDSHBKZ 180-001.exe
8.8.8.8:53
Google Inc.
US
whitelisted
8.8.8.8:53
Google Inc.
US
whitelisted
2644
SITDSHBKZ 180-001.exe
8.8.4.4:53
Google Inc.
US
whitelisted
79.134.225.58:2016
malam.ddns.net
Andreas Fink trading as Fink Telecom Services
CH
malicious
2644
SITDSHBKZ 180-001.exe
79.134.225.58:2016
malam.ddns.net
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
malam.ddns.net
  • 79.134.225.58
unknown

Threats

No threats detected
No debug info