File name:

SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe

Full analysis: https://app.any.run/tasks/07edd5da-186a-4a51-b71a-857cd99850a3
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: April 18, 2025, 05:57:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
api-base64
nanocore
rat
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

28A62E25A7B9879EB4CBCD5C7F488913

SHA1:

226EA8F629C66DB4B03A840541A32004BE498359

SHA256:

FED673EC9B344292155FA81C6339CE0ACD7C832B561A9256C5376D2B8FC1823C

SSDEEP:

6144:+HaVe1mkdpt+RFTQ8A6JJxj2y23dxOxOJ8VTk:9nxN2xOxzT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NANOCORE has been detected (YARA)

      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)
      • BrightHorizon_Binder.exe (PID: 3304)

    • NANOCORE has been detected (SURICATA)

      • BrightHorizon_Binder.exe (PID: 3304)

    • Connects to the CnC server

      • BrightHorizon_Binder.exe (PID: 3304)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)

    • Reads security settings of Internet Explorer

      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)

    • Connects to SMTP port

      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)

    • Connects to unusual port

      • BrightHorizon_Binder.exe (PID: 3304)

    • Contacting a server suspected of hosting an CnC

      • BrightHorizon_Binder.exe (PID: 3304)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)
      • BrightHorizon_Binder.exe (PID: 3304)

    • Process checks computer location settings

      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)

    • Reads the computer name

      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)
      • BrightHorizon_Binder.exe (PID: 3304)

    • Create files in a temporary directory

      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)

    • Process checks whether UAC notifications are on

      • BrightHorizon_Binder.exe (PID: 3304)

    • Creates files or folders in the user directory

      • BrightHorizon_Binder.exe (PID: 3304)

    • Reads the machine GUID from the registry

      • BrightHorizon_Binder.exe (PID: 3304)
      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)

    • Reads the software policy settings

      • SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe (PID: 732)
      • slui.exe (PID: 1040)

    • Checks proxy server information

      • slui.exe (PID: 1040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(3304) BrightHorizon_Binder.exe
BuildTime2025-04-06 23:45:42.272104
Version1.2.2.0
Mutex580ea223-d7f2-44b1-b94d-c55cee1f3909
DefaultGroupDefault
PrimaryConnectionHostmydds.ddns.net
BackupConnectionHost172.96.137.25
ConnectionPort50000
RunOnStartupFalse
RequestElevationFalse
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:08 07:09:56+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 284672
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x4773e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.5.9.5
ProductVersionNumber: 4.5.9.5
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Generated application
CompanyName: BlueAurora
FileDescription: BrightHorizon
FileVersion: 4.5.9.5
InternalName: BrightHorizon.exe
LegalCopyright:
OriginalFileName: BrightHorizon.exe
ProductName: BrightHorizon
ProductVersion: 4.5.9.5
AssemblyVersion: 4.5.9.5
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NANOCORE securiteinfo.com.trojan.muldrop30.55900.17543.25197.exe #NANOCORE brighthorizon_binder.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
732"C:\Users\admin\Desktop\SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe" C:\Users\admin\Desktop\SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe
explorer.exe
User:
admin
Company:
BlueAurora
Integrity Level:
MEDIUM
Description:
BrightHorizon
Version:
4.5.9.5
Modules
Images
c:\users\admin\desktop\securiteinfo.com.trojan.muldrop30.55900.17543.25197.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1040C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3304"C:\Users\admin\AppData\Local\Temp\BrightHorizon_Binder.exe" C:\Users\admin\AppData\Local\Temp\BrightHorizon_Binder.exe
SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\brighthorizon_binder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Nanocore
(PID) Process(3304) BrightHorizon_Binder.exe
BuildTime2025-04-06 23:45:42.272104
Version1.2.2.0
Mutex580ea223-d7f2-44b1-b94d-c55cee1f3909
DefaultGroupDefault
PrimaryConnectionHostmydds.ddns.net
BackupConnectionHost172.96.137.25
ConnectionPort50000
RunOnStartupFalse
RequestElevationFalse
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
Total events
4 819
Read events
4 819
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
732SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exeC:\Users\admin\AppData\Local\Temp\BrightHorizon_Binder.exeexecutable
MD5:642B4F3C2485A6F71B6CBCB9810B5BF6
SHA256:7A9768E776409B93B63E4642EB4D81C550E4F20EB4F0BB86A2EC30815EEF13BC
3304BrightHorizon_Binder.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\run.datbinary
MD5:166D2C75BA724738F3B942E57F563347
SHA256:3EB3A2C4F06D1CA56CCDC60E56C9366770879800E70389CE9A9C3B7D9AC05B9C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
55
DNS requests
50
Threats
44

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5364
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7000
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7000
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7000
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7000
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7000
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/sls/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5364
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5364
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.159.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 172.217.23.110
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
mydds.ddns.net
  • 192.159.99.192
malicious
login.live.com
  • 20.190.159.129
  • 20.190.159.73
  • 20.190.159.23
  • 40.126.31.128
  • 40.126.31.2
  • 20.190.159.2
  • 20.190.159.68
  • 40.126.31.1
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
3304
BrightHorizon_Binder.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
3304
BrightHorizon_Binder.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
3304
BrightHorizon_Binder.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
3304
BrightHorizon_Binder.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
3304
BrightHorizon_Binder.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
3304
BrightHorizon_Binder.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
3304
BrightHorizon_Binder.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
3304
BrightHorizon_Binder.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
3304
BrightHorizon_Binder.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
3304
BrightHorizon_Binder.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Trojan.MulDrop30.55900.17543.25197.exe