Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Nanocore"
- * MalScore: 10.0
- * File Name: "NanoCore_93c76ec29f0152b3ed728118b27464ec.exe"
- * File Size: 708096
- * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
- * SHA256: "3c239a1e21f8d36cfba76d540474e5a5587dbcbb9414ff436c256ebd162ffc6b"
- * MD5: "93c76ec29f0152b3ed728118b27464ec"
- * SHA1: "1acfa69dc778f5610402319f8bf2b496ce0d25ec"
- * SHA512: "3c12d3bc71bfbd5817028fd7ac2f6126c340a22fb9817c3325f7870d8df60908de524e2d95958801a06f9f3491c6cd1e683227dbd13c3fa1fb8a0fcc99ce4103"
- * CRC32: "672E94E6"
- * SSDEEP: "12288:VQ1DEpOkDi8ITLA5tJA4h4I/bzIx1ljNFGR0LCy:V+EcyiKnJ3D/3Ix1x6R0L"
- * Process Execution:
- "KQumh.exe",
- "KQumh.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\KQumh.exe\""
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
- "Details":
- "IP": "185.217.1.176:555 (Sweden)"
- "IP": "127.0.0.1:555"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "KQumh.exe tried to sleep 1356 seconds, actually delayed analysis time by 0 seconds"
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details":
- "ioc": "v2.0.50727"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: KQumh.exe, pid: 1812, offset: 0x00000000, length: 0x00001000"
- "self_read": "process: KQumh.exe, pid: 1812, offset: 0x00000080, length: 0x00000200"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .text, entropy: 7.97, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00079000, virtual_size: 0x00078f74"
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "KQumh.exe(1964) -> KQumh.exe(1812)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "KQumh.exe(1964) -> KQumh.exe(1812)"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\KQumh.exe:Zone.Identifier"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
- "Details":
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
- "data": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
- "Description": "Exhibits behavior characteristic of Nanocore RAT",
- "Details":
- "Description": "File has been identified by 54 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.GenericKD.41465620"
- "FireEye": "Generic.mg.93c76ec29f0152b3"
- "CAT-QuickHeal": "Trojan.MSIL"
- "McAfee": "RDN/Generic.hbg"
- "Malwarebytes": "Backdoor.NanoCore"
- "K7AntiVirus": "Trojan ( 005529161 )"
- "Alibaba": "Trojan:MSIL/Crypt.939bb126"
- "K7GW": "Trojan ( 005529161 )"
- "Cybereason": "malicious.dc778f"
- "Arcabit": "Trojan.Generic.D278B714"
- "TrendMicro": "TROJ_FRS.VSNW0FG19"
- "Cyren": "W32/Trojan.ZUFH-0796"
- "Symantec": "Trojan.Gen.MBT"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Kaspersky": "HEUR:Trojan.MSIL.Crypt.gen"
- "BitDefender": "Trojan.GenericKD.41465620"
- "NANO-Antivirus": "Trojan.Win32.Crypt.ftjfga"
- "AegisLab": "Trojan.MSIL.Crypt.4!c"
- "Tencent": "Win32.Trojan.Inject.Auto"
- "Ad-Aware": "Trojan.GenericKD.41465620"
- "Emsisoft": "Trojan.GenericKD.41465620 (B)"
- "Comodo": "Malware@#capxnd8usoex"
- "F-Secure": "Trojan.TR/AD.Nanocore.jyr"
- "DrWeb": "Trojan.PWS.Stealer.21377"
- "VIPRE": "Trojan.Win32.Generic!BT"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.jc"
- "Trapmine": "malicious.high.ml.score"
- "Sophos": "Troj/Nanoco-SL"
- "SentinelOne": "DFI - Malicious PE"
- "Jiangmin": "Trojan.MSIL.lrlv"
- "Avira": "TR/AD.Nanocore.jyr"
- "Microsoft": "Backdoor:MSIL/Noancooe.C"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "HEUR:Trojan.MSIL.Crypt.gen"
- "GData": "Trojan.GenericKD.41465620"
- "AhnLab-V3": "Trojan/Win32.MDA.R107085"
- "Acronis": "suspicious"
- "ALYac": "Trojan.GenericKD.41465620"
- "MAX": "malware (ai score=100)"
- "VBA32": "TScope.Trojan.MSIL"
- "Cylance": "Unsafe"
- "Panda": "Trj/GdSda.A"
- "ESET-NOD32": "a variant of MSIL/Kryptik.SFP"
- "TrendMicro-HouseCall": "TROJ_FRS.VSNW0FG19"
- "Yandex": "Trojan.Crypt!Xc2xAj45QVY"
- "Ikarus": "Trojan.MSIL.Inject"
- "Fortinet": "MSIL/Kryptik.MWR!tr"
- "MaxSecure": "Trojan.Malware.11716371.susgen"
- "AVG": "Win32:RATX-gen Trj"
- "Avast": "Win32:RATX-gen Trj"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "HEUR/QVM03.0.8707.Malware.Gen"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
- "Description": "Collects information to fingerprint the system",
- "Details":
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\bd5c416c-71f5-4d6b-8bd1-843e849fe681",
- "Global\\.net clr networking"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
- "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
- * Deleted Files:
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1964.2051671",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1964.2051687",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1964.2051687",
- "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\KQumh.exe:Zone.Identifier"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Sweden",
- "ip": "185.217.1.176",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement