2417NanoCore_0ea6ca9f4b58c8dda83575997e9a1b9c_exe_2019-09-19_08_30.txt

1.  
2. * ID: 2417
3. * MalFamily: "Nanocore"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "NanoCore_0ea6ca9f4b58c8dda83575997e9a1b9c.exe"
8. * File Size: 1111040
9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10. * SHA256: "bc5216eb11fdf50e8e56159be45e89bca7396c057c9d9bfbfc54a52837fb99b0"
11. * MD5: "0ea6ca9f4b58c8dda83575997e9a1b9c"
12. * SHA1: "7a151a23d6e48adbfc9fecd396ea1130c208f0cd"
13. * SHA512: "ad48f1ee46011f922031defab05ef17dc6993f29fe8a81defbbfcb0b34307037e1702ece38ac77d14377c6af5ecd4e1b386b4008c1d46ccb55cb406beb6da415"
14. * CRC32: "A7E46BDA"
15. * SSDEEP: "24576:BAHnh+eWsN3skA4RV1Hom2KXMmHaRhpGT/DnWmZsE5:Yh+ZkldoPK8YaRS7TL1"
16.  
17. * Process Execution:
18. "4D2ZXETDzY.exe",
19. "RegAsm.exe"
20.  
21.  
22. * Executed Commands:
23. "\"C:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework\\\\\\\\v2.0.50727\\\\\\\\RegAsm.exe\""
24.  
25.  
26. * Signatures Detected:
27.  
28. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
29. "Details":
30.  
31.  
32. "Description": "Behavioural detection: Executable code extraction",
33. "Details":
34.  
35.  
36. "Description": "Guard pages use detected - possible anti-debugging.",
37. "Details":
38.  
39.  
40. "Description": "A process attempted to delay the analysis task.",
41. "Details":
42.  
43. "Process": "RegAsm.exe tried to sleep 1032 seconds, actually delayed analysis time by 0 seconds"
44.  
45.  
46.  
47.  
48. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
49. "Details":
50.  
51. "ioc": "v2.0.50727"
52.  
53.  
54.  
55.  
56. "Description": "Expresses interest in specific running processes",
57. "Details":
58.  
59. "process": "RegAsm.exe"
60.  
61.  
62.  
63.  
64. "Description": "Reads data out of its own binary image",
65. "Details":
66.  
67. "self_read": "process: 4D2ZXETDzY.exe, pid: 2220, offset: 0x00000000, length: 0x00010000"
68.  
69.  
70. "self_read": "process: 4D2ZXETDzY.exe, pid: 2220, offset: 0x00000000, length: 0x0010f400"
71.  
72.  
73. "self_read": "process: RegAsm.exe, pid: 2408, offset: 0x00000000, length: 0x00001000"
74.  
75.  
76. "self_read": "process: RegAsm.exe, pid: 2408, offset: 0x00000080, length: 0x00000200"
77.  
78.  
79. "self_read": "process: RegAsm.exe, pid: 2408, offset: 0x00000178, length: 0x00000200"
80.  
81.  
82. "self_read": "process: RegAsm.exe, pid: 2408, offset: 0x0000a720, length: 0x00000200"
83.  
84.  
85. "self_read": "process: RegAsm.exe, pid: 2408, offset: 0x0000a73c, length: 0x00000200"
86.  
87.  
88.  
89.  
90. "Description": "The binary likely contains encrypted or compressed data.",
91. "Details":
92.  
93. "section": "name: .rsrc, entropy: 7.84, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00044e00, virtual_size: 0x00044c5c"
94.  
95.  
96.  
97.  
98. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
99. "Details":
100.  
101. "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier"
102.  
103.  
104.  
105.  
106. "Description": "Installs itself for autorun at Windows startup",
107. "Details":
108.  
109. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\0x433A5C55736572735C7362755C42696E6741534453"
110.  
111.  
112. "data": "C:\\Users\\user\\BingASDS\\unregmp2.bat"
113.  
114.  
115.  
116.  
117. "Description": "Exhibits behavior characteristic of Nanocore RAT",
118. "Details":
119.  
120.  
121. "Description": "File has been identified by 28 Antiviruses on VirusTotal as malicious",
122. "Details":
123.  
124. "Qihoo-360": "HEUR/QVM10.1.DC75.Malware.Gen"
125.  
126.  
127. "McAfee": "Artemis!0EA6CA9F4B58"
128.  
129.  
130. "Cylance": "Unsafe"
131.  
132.  
133. "AegisLab": "Trojan.Win32.Generic.4!c"
134.  
135.  
136. "Alibaba": "Trojan:Win32/AutoitInject.f864869a"
137.  
138.  
139. "F-Prot": "W32/Autoit.G.gen!Eldorado"
140.  
141.  
142. "APEX": "Malicious"
143.  
144.  
145. "Avast": "FileRepMalware"
146.  
147.  
148. "Kaspersky": "HEUR:Trojan.Win32.Generic"
149.  
150.  
151. "Rising": "Trojan.Injector/Autoit!1.BB82 (CLASSIC)"
152.  
153.  
154. "Invincea": "heuristic"
155.  
156.  
157. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.tc"
158.  
159.  
160. "FireEye": "Generic.mg.0ea6ca9f4b58c8dd"
161.  
162.  
163. "Ikarus": "Trojan.Autoit"
164.  
165.  
166. "Cyren": "W32/Autoit.G.gen!Eldorado"
167.  
168.  
169. "MAX": "malware (ai score=100)"
170.  
171.  
172. "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
173.  
174.  
175. "Microsoft": "Trojan:Win32/AutoitInject.BH!MTB"
176.  
177.  
178. "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
179.  
180.  
181. "AhnLab-V3": "Win-Trojan/Autoinj02.Exp"
182.  
183.  
184. "Acronis": "suspicious"
185.  
186.  
187. "Malwarebytes": "Trojan.MalPack.AutoIt"
188.  
189.  
190. "ESET-NOD32": "a variant of Win32/Injector.Autoit.EHG"
191.  
192.  
193. "Tencent": "Win32.Trojan.Autoit.Auto"
194.  
195.  
196. "AVG": "FileRepMalware"
197.  
198.  
199. "Paloalto": "generic.ml"
200.  
201.  
202. "CrowdStrike": "win/malicious_confidence_90% (W)"
203.  
204.  
205. "MaxSecure": "Trojan.Malware.300983.susgen"
206.  
207.  
208.  
209.  
210. "Description": "Creates a slightly modified copy of itself",
211. "Details":
212.  
213. "file": "C:\\Users\\user\\BingASDS\\unregmp2.bat"
214.  
215.  
216. "percent_match": 100
217.  
218.  
219.  
220.  
221. "Description": "Collects information to fingerprint the system",
222. "Details":
223.  
224.  
225. "Description": "Anomalous binary characteristics",
226. "Details":
227.  
228. "anomaly": "Actual checksum does not match that reported in PE header"
229.  
230.  
231.  
232.  
233.  
234. * Started Service:
235.  
236. * Mutexes:
237. "CicLoadWinStaWinSta0",
238. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
239. "Global\\CLR_PerfMon_WrapMutex",
240. "Global\\CLR_CASOFF_MUTEX",
241. "Global\\87e37b0a-3690-4f2b-917d-07482c988c00",
242. "Global\\.net clr networking"
243.  
244.  
245. * Modified Files:
246. "C:\\Users\\user\\BingASDS\\unregmp2.bat",
247. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat"
248.  
249.  
250. * Deleted Files:
251. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier"
252.  
253.  
254. * Modified Registry Keys:
255. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\0x433A5C55736572735C7362755C42696E6741534453"
256.  
257.  
258. * Deleted Registry Keys:
259.  
260. * DNS Communications:
261.  
262. "type": "A",
263. "request": "donjay.ddns.net",
264. "answers":
265.  
266.  
267.  
268. * Domains:
269.  
270. "ip": "0.0.0.0",
271. "domain": "donjay.ddns.net"
272.  
273.  
274.  
275. * Network Communication - ICMP:
276.  
277. * Network Communication - HTTP:
278.  
279. * Network Communication - SMTP:
280.  
281. * Network Communication - Hosts:
282.  
283. * Network Communication - IRC: