Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2417
- * MalFamily: "Nanocore"
- * MalScore: 10.0
- * File Name: "NanoCore_0ea6ca9f4b58c8dda83575997e9a1b9c.exe"
- * File Size: 1111040
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "bc5216eb11fdf50e8e56159be45e89bca7396c057c9d9bfbfc54a52837fb99b0"
- * MD5: "0ea6ca9f4b58c8dda83575997e9a1b9c"
- * SHA1: "7a151a23d6e48adbfc9fecd396ea1130c208f0cd"
- * SHA512: "ad48f1ee46011f922031defab05ef17dc6993f29fe8a81defbbfcb0b34307037e1702ece38ac77d14377c6af5ecd4e1b386b4008c1d46ccb55cb406beb6da415"
- * CRC32: "A7E46BDA"
- * SSDEEP: "24576:BAHnh+eWsN3skA4RV1Hom2KXMmHaRhpGT/DnWmZsE5:Yh+ZkldoPK8YaRS7TL1"
- * Process Execution:
- "4D2ZXETDzY.exe",
- "RegAsm.exe"
- * Executed Commands:
- "\"C:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework\\\\\\\\v2.0.50727\\\\\\\\RegAsm.exe\""
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "RegAsm.exe tried to sleep 1032 seconds, actually delayed analysis time by 0 seconds"
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details":
- "ioc": "v2.0.50727"
- "Description": "Expresses interest in specific running processes",
- "Details":
- "process": "RegAsm.exe"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: 4D2ZXETDzY.exe, pid: 2220, offset: 0x00000000, length: 0x00010000"
- "self_read": "process: 4D2ZXETDzY.exe, pid: 2220, offset: 0x00000000, length: 0x0010f400"
- "self_read": "process: RegAsm.exe, pid: 2408, offset: 0x00000000, length: 0x00001000"
- "self_read": "process: RegAsm.exe, pid: 2408, offset: 0x00000080, length: 0x00000200"
- "self_read": "process: RegAsm.exe, pid: 2408, offset: 0x00000178, length: 0x00000200"
- "self_read": "process: RegAsm.exe, pid: 2408, offset: 0x0000a720, length: 0x00000200"
- "self_read": "process: RegAsm.exe, pid: 2408, offset: 0x0000a73c, length: 0x00000200"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.84, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00044e00, virtual_size: 0x00044c5c"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\0x433A5C55736572735C7362755C42696E6741534453"
- "data": "C:\\Users\\user\\BingASDS\\unregmp2.bat"
- "Description": "Exhibits behavior characteristic of Nanocore RAT",
- "Details":
- "Description": "File has been identified by 28 Antiviruses on VirusTotal as malicious",
- "Details":
- "Qihoo-360": "HEUR/QVM10.1.DC75.Malware.Gen"
- "McAfee": "Artemis!0EA6CA9F4B58"
- "Cylance": "Unsafe"
- "AegisLab": "Trojan.Win32.Generic.4!c"
- "Alibaba": "Trojan:Win32/AutoitInject.f864869a"
- "F-Prot": "W32/Autoit.G.gen!Eldorado"
- "APEX": "Malicious"
- "Avast": "FileRepMalware"
- "Kaspersky": "HEUR:Trojan.Win32.Generic"
- "Rising": "Trojan.Injector/Autoit!1.BB82 (CLASSIC)"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.tc"
- "FireEye": "Generic.mg.0ea6ca9f4b58c8dd"
- "Ikarus": "Trojan.Autoit"
- "Cyren": "W32/Autoit.G.gen!Eldorado"
- "MAX": "malware (ai score=100)"
- "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
- "Microsoft": "Trojan:Win32/AutoitInject.BH!MTB"
- "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
- "AhnLab-V3": "Win-Trojan/Autoinj02.Exp"
- "Acronis": "suspicious"
- "Malwarebytes": "Trojan.MalPack.AutoIt"
- "ESET-NOD32": "a variant of Win32/Injector.Autoit.EHG"
- "Tencent": "Win32.Trojan.Autoit.Auto"
- "AVG": "FileRepMalware"
- "Paloalto": "generic.ml"
- "CrowdStrike": "win/malicious_confidence_90% (W)"
- "MaxSecure": "Trojan.Malware.300983.susgen"
- "Description": "Creates a slightly modified copy of itself",
- "Details":
- "file": "C:\\Users\\user\\BingASDS\\unregmp2.bat"
- "percent_match": 100
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- * Started Service:
- * Mutexes:
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\87e37b0a-3690-4f2b-917d-07482c988c00",
- "Global\\.net clr networking"
- * Modified Files:
- "C:\\Users\\user\\BingASDS\\unregmp2.bat",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat"
- * Deleted Files:
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\0x433A5C55736572735C7362755C42696E6741534453"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "donjay.ddns.net",
- "answers":
- * Domains:
- "ip": "0.0.0.0",
- "domain": "donjay.ddns.net"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement