File name: | SITDSHBKZ 180-001.rar |
Full analysis: | https://app.any.run/tasks/2a47a3cd-14f6-4c27-9f76-1556457ab404 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | July 17, 2019, 16:27:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | F3F7F69664641C685EC93166A9E2FB1F |
SHA1: | 90CB64ECEFF98C0E58AA5DC92112F64E0B15E34E |
SHA256: | D51FD76F15053750BCC77C3ECCD96DB79BBFBC53D259CDF21FF6BEA1C717E3BE |
SSDEEP: | 12288:EuyD7Rs/A7PHtP3r4wLl7ewJ69/XtZ4UOG5rWm:E9DRxLl7ew29Z4spWm |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | SITDSHBKZ 180-001.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2019:07:17 13:17:02 |
OperatingSystem: | Win32 |
UncompressedSize: | 1100288 |
CompressedSize: | 540872 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2896 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SITDSHBKZ 180-001.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3168 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.41735\SITDSHBKZ 180-001.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.41735\SITDSHBKZ 180-001.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2100 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.7785\SITDSHBKZ 180-001.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.7785\SITDSHBKZ 180-001.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2644 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.41735\SITDSHBKZ 180-001.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.41735\SITDSHBKZ 180-001.exe | SITDSHBKZ 180-001.exe | |
User: admin Integrity Level: MEDIUM | ||||
3204 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.7785\SITDSHBKZ 180-001.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.7785\SITDSHBKZ 180-001.exe | — | SITDSHBKZ 180-001.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
(PID) Process: | (2896) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2896) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2896) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2896) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\SITDSHBKZ 180-001.rar | |||
(PID) Process: | (2896) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2896) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2896) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2896) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2896) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2896) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2644 | SITDSHBKZ 180-001.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:3BE994057E0DEC9816B5D3FC074ED9D4 | SHA256:442E3E45CAFCFC3057C748FFE4F8CCCB2E8A8AFD6FDECBF81AEC59601286545E | |||
2896 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.41735\SITDSHBKZ 180-001.exe | executable | |
MD5:60DC69538986565CB1E4303BAC1E4428 | SHA256:F87F264E23C1A6EE8BF4E2570B3F8F4F6E2D788371BA220388735973520E1CD1 | |||
2896 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.7785\SITDSHBKZ 180-001.exe | executable | |
MD5:60DC69538986565CB1E4303BAC1E4428 | SHA256:F87F264E23C1A6EE8BF4E2570B3F8F4F6E2D788371BA220388735973520E1CD1 | |||
2644 | SITDSHBKZ 180-001.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe | executable | |
MD5:60DC69538986565CB1E4303BAC1E4428 | SHA256:F87F264E23C1A6EE8BF4E2570B3F8F4F6E2D788371BA220388735973520E1CD1 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2644 | SITDSHBKZ 180-001.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
— | — | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
2644 | SITDSHBKZ 180-001.exe | 8.8.4.4:53 | — | Google Inc. | US | whitelisted |
— | — | 79.134.225.58:2016 | malam.ddns.net | Andreas Fink trading as Fink Telecom Services | CH | malicious |
2644 | SITDSHBKZ 180-001.exe | 79.134.225.58:2016 | malam.ddns.net | Andreas Fink trading as Fink Telecom Services | CH | malicious |
Domain | IP | Reputation |
---|---|---|
malam.ddns.net |
| unknown |