flash

wDIaJji4Vv.exe

Status: finished
Submission Time: 04.04.2021 02:35:31
Malicious
Trojan
Evader
Nanocore

Comments

Tags

  • exe
  • NanoCore
  • RAT

Details

  • Analysis ID:
    381644
  • API (Web) ID:
    665435
  • Analysis Started:
    04.04.2021 02:35:32
  • Analysis Finished:
    04.04.2021 02:46:36
  • MD5:
    6a0c22a8a8d9524ba012910571b57d38
  • SHA1:
    b75a74ca657f4940b251c5116bcf2d3a78773671
  • SHA256:
    cc9690dcde0dfa23d657f84bc221296c45590b595d5cca9131087638c35c8a8b
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
42/69

malicious
11/43

IPs

IP Country Detection
79.134.225.7
Switzerland

Domains

Name IP Detection
james12.ddns.net
79.134.225.7

URLs

Name Detection
james12.ddns.net
127.0.0.1
https://go.microX%
Click to see the 2 hidden entries
http://www.fileden.com/files/2011/10/5/3204996/curver.txt
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\wDIaJji4Vv.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\tmpE049.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
data
#
Click to see the 14 hidden entries
C:\Users\user\AppData\Roaming\LGKyjAEnmfdSo.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\LGKyjAEnmfdSo.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bn2wvdhj.h2i.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbmpopxb.30w.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlk4xu4b.yrc.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5wqclte.tm2.psm1
very short file (no magic)
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
data
#
C:\Users\user\Documents\20210404\PowerShell_transcript.216554.9U9ReEn0.20210404023626.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210404\PowerShell_transcript.216554.qbfO9BC_.20210404023623.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
\Device\ConDrv
ASCII text, with CRLF line terminators
#