flash

Secured nc.exe

Status: finished
Submission Time: 21.04.2020 01:23:00
Malicious
Trojan
Adware
Evader
Nanocore

Comments

Tags

Details

  • Analysis ID:
    224023
  • API (Web) ID:
    344645
  • Analysis Started:
    21.04.2020 01:23:01
  • Analysis Finished:
    21.04.2020 01:38:32
  • MD5:
    b43e1d0b714af3502e1ac041b8164255
  • SHA1:
    92ac3272506570e140692b6eb7a43aa1732c81b2
  • SHA256:
    353cd6a5d6ea85d0ffb911e286ff7d460eec73334bc1fef0a59ea9cea782b281
  • Technologies:
Full Report Engine Info Verdict Score Reports

System: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113

malicious
100/100

IPs

IP Country Detection
151.80.8.11
Italy
104.18.49.20
United States

Domains

Name IP Detection
alice2019.myftp.biz
151.80.8.11
paste.ee
104.18.49.20

URLs

Name Detection
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://paste.ee/r/9oMSH

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\run.dat
Non-ISO extended-ASCII text, with no line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeObcreZp.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeObcreZp.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
Click to see the 20 hidden entries
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wpasv.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11x04zm5.0cb.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mopzjgk.ixp.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anjtk3tt.dea.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_deajpnct.kty.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jodanar2.lya.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyrv4obg.q3m.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucsuky33.qoz.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4iyobpy.ya3.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\catalog.dat
data
#
C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\storage.dat
data
#
C:\Users\user\Documents\20200421\PowerShell_transcript.088753._WPVLBC6.20200421012328.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20200421\PowerShell_transcript.088753.bSc2hfpi.20200421012338.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20200421\PowerShell_transcript.088753.lYZjOG0e.20200421012329.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20200421\PowerShell_transcript.088753.wOLLzNsL.20200421012339.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
\Device\ConDrv
ASCII text, with CRLF line terminators
#