NanoCore_93c76ec29f0152b3ed728118b27464ec_exe_2019-08-29_08_30.txt


* MalFamily: "Nanocore"

* MalScore: 10.0

* File Name: "NanoCore_93c76ec29f0152b3ed728118b27464ec.exe"
* File Size: 708096
* File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
* SHA256: "3c239a1e21f8d36cfba76d540474e5a5587dbcbb9414ff436c256ebd162ffc6b"
* MD5: "93c76ec29f0152b3ed728118b27464ec"
* SHA1: "1acfa69dc778f5610402319f8bf2b496ce0d25ec"
* SHA512: "3c12d3bc71bfbd5817028fd7ac2f6126c340a22fb9817c3325f7870d8df60908de524e2d95958801a06f9f3491c6cd1e683227dbd13c3fa1fb8a0fcc99ce4103"
* CRC32: "672E94E6"
* SSDEEP: "12288:VQ1DEpOkDi8ITLA5tJA4h4I/bzIx1ljNFGR0LCy:V+EcyiKnJ3D/3Ix1x6R0L"

* Process Execution:
    "KQumh.exe",
    "KQumh.exe"


* Executed Commands:
    "\"C:\\Users\\user\\AppData\\Local\\Temp\\KQumh.exe\""


* Signatures Detected:

        "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
        "Details":


        "Description": "Behavioural detection: Executable code extraction",
        "Details":


        "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
        "Details":

                "IP": "185.217.1.176:555 (Sweden)"


                "IP": "127.0.0.1:555"


        "Description": "Guard pages use detected - possible anti-debugging.",
        "Details":


        "Description": "A process attempted to delay the analysis task.",
        "Details":

                "Process": "KQumh.exe tried to sleep 1356 seconds, actually delayed analysis time by 0 seconds"


        "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
        "Details":

                "ioc": "v2.0.50727"


        "Description": "Reads data out of its own binary image",
        "Details":

                "self_read": "process: KQumh.exe, pid: 1812, offset: 0x00000000, length: 0x00001000"


                "self_read": "process: KQumh.exe, pid: 1812, offset: 0x00000080, length: 0x00000200"


        "Description": "The binary likely contains encrypted or compressed data.",
        "Details":

                "section": "name: .text, entropy: 7.97, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00079000, virtual_size: 0x00078f74"


        "Description": "Behavioural detection: Injection (Process Hollowing)",
        "Details":

                "Injection": "KQumh.exe(1964) -> KQumh.exe(1812)"


        "Description": "Executed a process and injected code into it, probably while unpacking",
        "Details":

                "Injection": "KQumh.exe(1964) -> KQumh.exe(1812)"


        "Description": "Attempts to remove evidence of file being downloaded from the Internet",
        "Details":

                "file": "C:\\Users\\user\\AppData\\Local\\Temp\\KQumh.exe:Zone.Identifier"


        "Description": "Behavioural detection: Injection (inter-process)",
        "Details":


        "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
        "Details":


        "Description": "Installs itself for autorun at Windows startup",
        "Details":

                "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"


                "data": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"


        "Description": "Exhibits behavior characteristic of Nanocore RAT",
        "Details":


        "Description": "File has been identified by 54 Antiviruses on VirusTotal as malicious",
        "Details":

                "MicroWorld-eScan": "Trojan.GenericKD.41465620"


                "FireEye": "Generic.mg.93c76ec29f0152b3"


                "CAT-QuickHeal": "Trojan.MSIL"


                "McAfee": "RDN/Generic.hbg"


                "Malwarebytes": "Backdoor.NanoCore"


                "K7AntiVirus": "Trojan ( 005529161 )"


                "Alibaba": "Trojan:MSIL/Crypt.939bb126"


                "K7GW": "Trojan ( 005529161 )"


                "Cybereason": "malicious.dc778f"


                "Arcabit": "Trojan.Generic.D278B714"


                "TrendMicro": "TROJ_FRS.VSNW0FG19"


                "Cyren": "W32/Trojan.ZUFH-0796"


                "Symantec": "Trojan.Gen.MBT"


                "APEX": "Malicious"


                "Paloalto": "generic.ml"


                "Kaspersky": "HEUR:Trojan.MSIL.Crypt.gen"


                "BitDefender": "Trojan.GenericKD.41465620"


                "NANO-Antivirus": "Trojan.Win32.Crypt.ftjfga"


                "AegisLab": "Trojan.MSIL.Crypt.4!c"


                "Tencent": "Win32.Trojan.Inject.Auto"


                "Ad-Aware": "Trojan.GenericKD.41465620"


                "Emsisoft": "Trojan.GenericKD.41465620 (B)"


                "Comodo": "Malware@#capxnd8usoex"


                "F-Secure": "Trojan.TR/AD.Nanocore.jyr"


                "DrWeb": "Trojan.PWS.Stealer.21377"


                "VIPRE": "Trojan.Win32.Generic!BT"


                "Invincea": "heuristic"


                "McAfee-GW-Edition": "BehavesLike.Win32.Generic.jc"


                "Trapmine": "malicious.high.ml.score"


                "Sophos": "Troj/Nanoco-SL"


                "SentinelOne": "DFI - Malicious PE"


                "Jiangmin": "Trojan.MSIL.lrlv"


                "Avira": "TR/AD.Nanocore.jyr"


                "Microsoft": "Backdoor:MSIL/Noancooe.C"


                "Endgame": "malicious (high confidence)"


                "ZoneAlarm": "HEUR:Trojan.MSIL.Crypt.gen"


                "GData": "Trojan.GenericKD.41465620"


                "AhnLab-V3": "Trojan/Win32.MDA.R107085"


                "Acronis": "suspicious"


                "ALYac": "Trojan.GenericKD.41465620"


                "MAX": "malware (ai score=100)"


                "VBA32": "TScope.Trojan.MSIL"


                "Cylance": "Unsafe"


                "Panda": "Trj/GdSda.A"


                "ESET-NOD32": "a variant of MSIL/Kryptik.SFP"


                "TrendMicro-HouseCall": "TROJ_FRS.VSNW0FG19"


                "Yandex": "Trojan.Crypt!Xc2xAj45QVY"


                "Ikarus": "Trojan.MSIL.Inject"


                "Fortinet": "MSIL/Kryptik.MWR!tr"


                "MaxSecure": "Trojan.Malware.11716371.susgen"


                "AVG": "Win32:RATX-gen Trj"


                "Avast": "Win32:RATX-gen Trj"


                "CrowdStrike": "win/malicious_confidence_100% (W)"


                "Qihoo-360": "HEUR/QVM03.0.8707.Malware.Gen"


        "Description": "Creates a copy of itself",
        "Details":

                "copy": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"


        "Description": "Collects information to fingerprint the system",
        "Details":


* Started Service:

* Mutexes:
    "Global\\CLR_PerfMon_WrapMutex",
    "Global\\CLR_CASOFF_MUTEX",
    "Global\\bd5c416c-71f5-4d6b-8bd1-843e849fe681",
    "Global\\.net clr networking"


* Modified Files:
    "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
    "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"


* Deleted Files:
    "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1964.2051671",
    "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1964.2051687",
    "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1964.2051687",
    "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
    "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\DSL Subsystem\\dslss.exe",
    "C:\\Users\\user\\AppData\\Local\\Temp\\KQumh.exe:Zone.Identifier"


* Modified Registry Keys:
    "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"


* Deleted Registry Keys:

* DNS Communications:

* Domains:

* Network Communication - ICMP:

* Network Communication - HTTP:

* Network Communication - SMTP:

* Network Communication - Hosts:

        "country_name": "Sweden",
        "ip": "185.217.1.176",
        "inaddrarpa": "",
        "hostname": ""


* Network Communication - IRC: