top title background image
flash

y8kdmHi6x3.exe

Status: finished
Submission Time: 2022-01-26 02:38:41 +01:00
Malicious
Trojan
Evader
Nanocore AsyncRAT

Comments

Tags

  • exe
  • NanoCore
  • RAT

Details

  • Analysis ID:
    560001
  • API (Web) ID:
    927527
  • Analysis Started:
    2022-01-26 02:38:43 +01:00
  • Analysis Finished:
    2022-01-26 02:55:38 +01:00
  • MD5:
    bff363a92ac43ff249652a83dadc02ab
  • SHA1:
    3c7b47a3f4dc3c8555b656505244886cb3a172f5
  • SHA256:
    d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious
Score: 38/66
malicious
Score: 30/34
malicious
Score: 42/43
malicious

IPs

IP Country Detection
142.250.186.46
United States
54.38.136.57
France
69.42.215.252
United States

Domains

Name IP Detection
freedns.afraid.org
69.42.215.252
docs.google.com
142.250.186.46
saw4.playit.gg
54.38.136.57
Click to see the 3 hidden entries
chivalrous-condition.auto.playit.gg
0.0.0.0
agonizing-bat.auto.playit.gg
0.0.0.0
xred.mooo.com
0.0.0.0

URLs

Name Detection
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl
Click to see the 24 hidden entries
http://xred.site50.net/syn/SSLLibrary.dll
http://schemas.microsof
http://xred.site50.net/syn/SUpdate.iniD0/
http://xred.site50.net/syn/SUpdate.iniD0
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
http://xred.site50.net/syn/SSLLibrary.dlp
https://docs.goo
http://xred.site50.net/syn/SUpdate.ini
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=8
https://docs.google.com/S
http://xred.site50.net/syn/SUpdate.iniZ
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:
http://xred.site50.net/syn/SSLLibrary.dll6
http://xred.site50.net/syn/SSLLibrary.dl
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/
https://docs.goog
http://xred.site50.net/syn/Synaptics.rar
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978$1
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/Synaptics.rarZ

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Synaptics\._cache_Synaptics.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\Documents\BNAGMGSPLO\~$cache1:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\Documents\BNAGMGSPLO\~$cache1
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 36 hidden entries
C:\Users\user\Desktop\y8kdmHi6x3.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\Desktop\WINDOWS.EXE
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\Desktop\SYSTEM32.EXE
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\Desktop\._cache_WINDOWS.EXE
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\Desktop\._cache_Synaptics.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
ISO-8859 text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\tmp939D.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\RCX831F.tmp
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\RCX788E.tmp
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\ProgramData\Synaptics\Synaptics.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\y8kdmHi6x3.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\yi1yMTqS.ico
MS Windows icon resource - 1 icon, 32x32, 32 colors
#
C:\Users\user\Documents\BNAGMGSPLO\EEGWXUHVUG.xlsm
Microsoft Excel 2007+
#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\._cache_WINDOWS.EXE.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synaptics.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\9KIhjIt.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\BU7W824.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\OJxXIBO.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\DznDQdc.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\Frrvc3Eg.xlsm
Microsoft Excel 2007+
#
C:\Users\user\AppData\Local\Temp\vaJuLhu.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\tmp9EC9.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\GljuS4w.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\ohdSUNQ.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\avIDvaN.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\Z3Rs92O.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\Z3HHv1Q.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\WDTsgHT.ini
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Temp\I9E2jd4.ini
HTML document, ASCII text
#