MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8222127c77b4f83832246e9ce96da7741f1352da9d3548ad8b959b2e00b54c0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



NanoCore


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash: 8222127c77b4f83832246e9ce96da7741f1352da9d3548ad8b959b2e00b54c0d
SHA3-384 hash: db151628c4c253493a25b17ab544e269649470d603271fd278b59d76aa35b09a8987ac8102d14882c5565ad65c07d2e3
SHA1 hash: e50192512d5cf87ece05a1b3974fccc652eff93b
MD5 hash: 4f0f86315b42b8dad8a1b430d5ac084a
humanhash: sodium-princess-sixteen-hotel
File name:10377 APT800_B0205K0384.exe
Download: download sample
Signature NanoCore
File size:1'583'616 bytes
First seen:2021-09-28 10:52:16 UTC
Last seen:2021-09-28 13:24:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (23'043 x AgentTesla, 5'566 x Formbook, 3'013 x Loki)
ssdeep 12288:jfuyMJL4xqDGHF3rzbMfOhVr0I1hwd3o+VJNMzh4FmKinjIRsjr:HMy2YqfOL4ahwdYEnMzhE
Threatray 2'943 similar samples on MalwareBazaar
TLSH T1157540290D6686F7C7FFC22CD49C0ACEDAF195837A91CF199C81D6D20297B0BE28495D
Reporter @GovCERT_CH
Tags:exe NanoCore

Intelligence


File Origin
# of uploads :
2
# of downloads :
116
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
10377 APT800_B0205K0384.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 10:54:30 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
DNS request
Connecting to a non-recommended domain
Connection attempt
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2021-09-28 10:53:05 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
mec.sytes.net:3259
Unpacked files
SH256 hash:
f9b8c3f31375e9a1ec105f930f751869a804110d29d6b38e7298622eb74b2bec
MD5 hash:
42006852619847f368bc4062849cd6dc
SHA1 hash:
ba6edc3a5aba8eac15b6a30e1407cdae80b2481d
SH256 hash:
01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354
MD5 hash:
9c8242440c47a4f1ce2e47df3c3ddd28
SHA1 hash:
874f3caf663265f7dd18fb565d91b7d915031251
SH256 hash:
61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403
MD5 hash:
bdc8945f1d799c845408522e372d1dbd
SHA1 hash:
874b7c3c97cc5b13b9dd172fec5a54bc1f258005
SH256 hash:
373b9e10820ea3115d56237b69933fc3a42385d6ee417cc58038dc2cda4e0d7f
MD5 hash:
e2f39aed21855091c7d311d2919b8427
SHA1 hash:
eba5f7f682e00ddd7e4e1fad6831bc57caad81c5
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
SH256 hash:
8222127c77b4f83832246e9ce96da7741f1352da9d3548ad8b959b2e00b54c0d
MD5 hash:
4f0f86315b42b8dad8a1b430d5ac084a
SHA1 hash:
e50192512d5cf87ece05a1b3974fccc652eff93b
Malware family:
NanoCore
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 8222127c77b4f83832246e9ce96da7741f1352da9d3548ad8b959b2e00b54c0d

(this sample)

  
Dropped by
nanocore
  
Delivery method
Distributed via e-mail attachment

Comments