Advertisement
paladin316

NanoCore_93c76ec29f0152b3ed728118b27464ec_exe_2019-08-29_08_30.txt

Aug 29th, 2019
2,702
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.74 KB | None | 0 0
  1.  
  2. * MalFamily: "Nanocore"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "NanoCore_93c76ec29f0152b3ed728118b27464ec.exe"
  7. * File Size: 708096
  8. * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
  9. * SHA256: "3c239a1e21f8d36cfba76d540474e5a5587dbcbb9414ff436c256ebd162ffc6b"
  10. * MD5: "93c76ec29f0152b3ed728118b27464ec"
  11. * SHA1: "1acfa69dc778f5610402319f8bf2b496ce0d25ec"
  12. * SHA512: "3c12d3bc71bfbd5817028fd7ac2f6126c340a22fb9817c3325f7870d8df60908de524e2d95958801a06f9f3491c6cd1e683227dbd13c3fa1fb8a0fcc99ce4103"
  13. * CRC32: "672E94E6"
  14. * SSDEEP: "12288:VQ1DEpOkDi8ITLA5tJA4h4I/bzIx1ljNFGR0LCy:V+EcyiKnJ3D/3Ix1x6R0L"
  15.  
  16. * Process Execution:
  17. "KQumh.exe",
  18. "KQumh.exe"
  19.  
  20.  
  21. * Executed Commands:
  22. "\"C:\\Users\\user\\AppData\\Local\\Temp\\KQumh.exe\""
  23.  
  24.  
  25. * Signatures Detected:
  26.  
  27. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  28. "Details":
  29.  
  30.  
  31. "Description": "Behavioural detection: Executable code extraction",
  32. "Details":
  33.  
  34.  
  35. "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
  36. "Details":
  37.  
  38. "IP": "185.217.1.176:555 (Sweden)"
  39.  
  40.  
  41. "IP": "127.0.0.1:555"
  42.  
  43.  
  44.  
  45.  
  46. "Description": "Guard pages use detected - possible anti-debugging.",
  47. "Details":
  48.  
  49.  
  50. "Description": "A process attempted to delay the analysis task.",
  51. "Details":
  52.  
  53. "Process": "KQumh.exe tried to sleep 1356 seconds, actually delayed analysis time by 0 seconds"
  54.  
  55.  
  56.  
  57.  
  58. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
  59. "Details":
  60.  
  61. "ioc": "v2.0.50727"
  62.  
  63.  
  64.  
  65.  
  66. "Description": "Reads data out of its own binary image",
  67. "Details":
  68.  
  69. "self_read": "process: KQumh.exe, pid: 1812, offset: 0x00000000, length: 0x00001000"
  70.  
  71.  
  72. "self_read": "process: KQumh.exe, pid: 1812, offset: 0x00000080, length: 0x00000200"
  73.  
  74.  
  75.  
  76.  
  77. "Description": "The binary likely contains encrypted or compressed data.",
  78. "Details":
  79.  
  80. "section": "name: .text, entropy: 7.97, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00079000, virtual_size: 0x00078f74"
  81.  
  82.  
  83.  
  84.  
  85. "Description": "Behavioural detection: Injection (Process Hollowing)",
  86. "Details":
  87.  
  88. "Injection": "KQumh.exe(1964) -> KQumh.exe(1812)"
  89.  
  90.  
  91.  
  92.  
  93. "Description": "Executed a process and injected code into it, probably while unpacking",
  94. "Details":
  95.  
  96. "Injection": "KQumh.exe(1964) -> KQumh.exe(1812)"
  97.  
  98.  
  99.  
  100.  
  101. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
  102. "Details":
  103.  
  104. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\KQumh.exe:Zone.Identifier"
  105.  
  106.  
  107.  
  108.  
  109. "Description": "Behavioural detection: Injection (inter-process)",
  110. "Details":
  111.  
  112.  
  113. "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
  114. "Details":
  115.  
  116.  
  117. "Description": "Installs itself for autorun at Windows startup",
  118. "Details":
  119.  
  120. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
  121.  
  122.  
  123. "data": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
  124.  
  125.  
  126.  
  127.  
  128. "Description": "Exhibits behavior characteristic of Nanocore RAT",
  129. "Details":
  130.  
  131.  
  132. "Description": "File has been identified by 54 Antiviruses on VirusTotal as malicious",
  133. "Details":
  134.  
  135. "MicroWorld-eScan": "Trojan.GenericKD.41465620"
  136.  
  137.  
  138. "FireEye": "Generic.mg.93c76ec29f0152b3"
  139.  
  140.  
  141. "CAT-QuickHeal": "Trojan.MSIL"
  142.  
  143.  
  144. "McAfee": "RDN/Generic.hbg"
  145.  
  146.  
  147. "Malwarebytes": "Backdoor.NanoCore"
  148.  
  149.  
  150. "K7AntiVirus": "Trojan ( 005529161 )"
  151.  
  152.  
  153. "Alibaba": "Trojan:MSIL/Crypt.939bb126"
  154.  
  155.  
  156. "K7GW": "Trojan ( 005529161 )"
  157.  
  158.  
  159. "Cybereason": "malicious.dc778f"
  160.  
  161.  
  162. "Arcabit": "Trojan.Generic.D278B714"
  163.  
  164.  
  165. "TrendMicro": "TROJ_FRS.VSNW0FG19"
  166.  
  167.  
  168. "Cyren": "W32/Trojan.ZUFH-0796"
  169.  
  170.  
  171. "Symantec": "Trojan.Gen.MBT"
  172.  
  173.  
  174. "APEX": "Malicious"
  175.  
  176.  
  177. "Paloalto": "generic.ml"
  178.  
  179.  
  180. "Kaspersky": "HEUR:Trojan.MSIL.Crypt.gen"
  181.  
  182.  
  183. "BitDefender": "Trojan.GenericKD.41465620"
  184.  
  185.  
  186. "NANO-Antivirus": "Trojan.Win32.Crypt.ftjfga"
  187.  
  188.  
  189. "AegisLab": "Trojan.MSIL.Crypt.4!c"
  190.  
  191.  
  192. "Tencent": "Win32.Trojan.Inject.Auto"
  193.  
  194.  
  195. "Ad-Aware": "Trojan.GenericKD.41465620"
  196.  
  197.  
  198. "Emsisoft": "Trojan.GenericKD.41465620 (B)"
  199.  
  200.  
  201. "Comodo": "Malware@#capxnd8usoex"
  202.  
  203.  
  204. "F-Secure": "Trojan.TR/AD.Nanocore.jyr"
  205.  
  206.  
  207. "DrWeb": "Trojan.PWS.Stealer.21377"
  208.  
  209.  
  210. "VIPRE": "Trojan.Win32.Generic!BT"
  211.  
  212.  
  213. "Invincea": "heuristic"
  214.  
  215.  
  216. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.jc"
  217.  
  218.  
  219. "Trapmine": "malicious.high.ml.score"
  220.  
  221.  
  222. "Sophos": "Troj/Nanoco-SL"
  223.  
  224.  
  225. "SentinelOne": "DFI - Malicious PE"
  226.  
  227.  
  228. "Jiangmin": "Trojan.MSIL.lrlv"
  229.  
  230.  
  231. "Avira": "TR/AD.Nanocore.jyr"
  232.  
  233.  
  234. "Microsoft": "Backdoor:MSIL/Noancooe.C"
  235.  
  236.  
  237. "Endgame": "malicious (high confidence)"
  238.  
  239.  
  240. "ZoneAlarm": "HEUR:Trojan.MSIL.Crypt.gen"
  241.  
  242.  
  243. "GData": "Trojan.GenericKD.41465620"
  244.  
  245.  
  246. "AhnLab-V3": "Trojan/Win32.MDA.R107085"
  247.  
  248.  
  249. "Acronis": "suspicious"
  250.  
  251.  
  252. "ALYac": "Trojan.GenericKD.41465620"
  253.  
  254.  
  255. "MAX": "malware (ai score=100)"
  256.  
  257.  
  258. "VBA32": "TScope.Trojan.MSIL"
  259.  
  260.  
  261. "Cylance": "Unsafe"
  262.  
  263.  
  264. "Panda": "Trj/GdSda.A"
  265.  
  266.  
  267. "ESET-NOD32": "a variant of MSIL/Kryptik.SFP"
  268.  
  269.  
  270. "TrendMicro-HouseCall": "TROJ_FRS.VSNW0FG19"
  271.  
  272.  
  273. "Yandex": "Trojan.Crypt!Xc2xAj45QVY"
  274.  
  275.  
  276. "Ikarus": "Trojan.MSIL.Inject"
  277.  
  278.  
  279. "Fortinet": "MSIL/Kryptik.MWR!tr"
  280.  
  281.  
  282. "MaxSecure": "Trojan.Malware.11716371.susgen"
  283.  
  284.  
  285. "AVG": "Win32:RATX-gen Trj"
  286.  
  287.  
  288. "Avast": "Win32:RATX-gen Trj"
  289.  
  290.  
  291. "CrowdStrike": "win/malicious_confidence_100% (W)"
  292.  
  293.  
  294. "Qihoo-360": "HEUR/QVM03.0.8707.Malware.Gen"
  295.  
  296.  
  297.  
  298.  
  299. "Description": "Creates a copy of itself",
  300. "Details":
  301.  
  302. "copy": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
  303.  
  304.  
  305.  
  306.  
  307. "Description": "Collects information to fingerprint the system",
  308. "Details":
  309.  
  310.  
  311.  
  312. * Started Service:
  313.  
  314. * Mutexes:
  315. "Global\\CLR_PerfMon_WrapMutex",
  316. "Global\\CLR_CASOFF_MUTEX",
  317. "Global\\bd5c416c-71f5-4d6b-8bd1-843e849fe681",
  318. "Global\\.net clr networking"
  319.  
  320.  
  321. * Modified Files:
  322. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
  323. "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
  324.  
  325.  
  326. * Deleted Files:
  327. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1964.2051671",
  328. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1964.2051687",
  329. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1964.2051687",
  330. "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
  331. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\DSL Subsystem\\dslss.exe",
  332. "C:\\Users\\user\\AppData\\Local\\Temp\\KQumh.exe:Zone.Identifier"
  333.  
  334.  
  335. * Modified Registry Keys:
  336. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
  337.  
  338.  
  339. * Deleted Registry Keys:
  340.  
  341. * DNS Communications:
  342.  
  343. * Domains:
  344.  
  345. * Network Communication - ICMP:
  346.  
  347. * Network Communication - HTTP:
  348.  
  349. * Network Communication - SMTP:
  350.  
  351. * Network Communication - Hosts:
  352.  
  353. "country_name": "Sweden",
  354. "ip": "185.217.1.176",
  355. "inaddrarpa": "",
  356. "hostname": ""
  357.  
  358.  
  359.  
  360. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement