analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

298645487d872600b093d2cda8f7646278919500.rar

Full analysis: https://app.any.run/tasks/dc358a28-5b89-4c23-bb0c-918e94f61a5c
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 19:48:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
rat
nanocore
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

F2860F1115EE8DEC42B9744B25037D0C

SHA1:

298645487D872600B093D2CDA8F7646278919500

SHA256:

E32EBAA9F255060A57B650509E915F57A6AF04E551A049CCE86031324544DA4A

SSDEEP:

12288:EYVavSv4Mke+ntdRWuKZ4ZAnWqFwXzHit9yRvdlnai6pWeXI6Y4VQBF/eMzv:E2aKgi+ntbKWZx0xt9SfaiZKmVv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Quotaton Docx.exe (PID: 2008)
      • RegSvcs.exe (PID: 480)

    • NANOCORE was detected

      • RegSvcs.exe (PID: 480)

    • Changes the autorun value in the registry

      • RegSvcs.exe (PID: 480)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2920)
      • RegSvcs.exe (PID: 480)

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2920)

    • Creates files in the user directory

      • RegSvcs.exe (PID: 480)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe quotaton docx.exe no specs #NANOCORE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
2920"C:\Program Files\WinRAR\WinRAR.exe" "C:\Windows\298645487d872600b093d2cda8f7646278919500.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2008"C:\Users\admin\AppData\Local\Temp\Rar$EXa2920.1943\Quotaton Docx.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2920.1943\Quotaton Docx.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
480"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Quotaton Docx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
Total events
569
Read events
541
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
480RegSvcs.exeC:\Users\admin\AppData\Roaming\EEEB5D54-7880-42A7-B542-739BBC26CF4B\run.datbinary
MD5:B015CEE0F56BD436DEB7C5C84E9CA151
SHA256:511030057FAD9ED6752DB563A54EA7B440EFB3BE2A408628BCAE05340AFCA00F
2920WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2920.1943\Quotaton Docx.exeexecutable
MD5:76D6730F6337033FBD396300C494575D
SHA256:4CFA4A8D8DBD6FFBFA6370F5654E8B3D47BBAD28B09354B2D5BA555C85640042
480RegSvcs.exeC:\Users\admin\AppData\Roaming\EEEB5D54-7880-42A7-B542-739BBC26CF4B\UPNP Host\upnphost.exeexecutable
MD5:72A9F09010A89860456C6474E2E6D25C
SHA256:7299EB6E11C8704E7CB18F57879550CDD88EF7B2AE8CBA031B795BC5D92CE8E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
480
RegSvcs.exe
91.192.100.23:1985
SOFTplus Entwicklungen GmbH
CH
malicious

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
298645487d872600b093d2cda8f7646278919500.rar