MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0289b5c2829170ad4bb04daedbd3db5e56474415aee109a91a66ba9fa8a7a179. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0289b5c2829170ad4bb04daedbd3db5e56474415aee109a91a66ba9fa8a7a179
SHA3-384 hash: e81969d4832f34f4238c1e3fcb50e88948da6122aca687894237f179e24a2e082956889818d8ebb25abf355a13bc77e6
SHA1 hash: 7b50eced7533928bb4c6ea832b870321eb7511fd
MD5 hash: a1cae12bf28fe87a4ac72a07ba8ee588
humanhash: delta-muppet-pip-missouri
File name:SecuriteInfo.com.W32.AIDetectNet.01.32694.25472
Download: download sample
Signature NanoCore
Create hunting rule
File size:886'272 bytes
First seen:2022-07-04 10:12:26 UTC
Last seen:2022-07-04 12:45:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:QTf1FguQ/Jo0DXeRueTKadnrpiVC2iJVi1/R8hIi0nKiJ1uLZGnrChNmLmlXQYTF:QTdFeHDuRueZdz/i1/R8hIi0KcIlF
TLSH T194159D493652F49FC567C43289937C28BA20BB66570BD253A00332BD994D697CEF7CB2
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6cccd4e0f0d0c4d4 (8 x Loki, 3 x NanoCore, 2 x WhiteSnakeStealer)
Reporter SecuriteInfoCom
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
3
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.32694.25472.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c2bd33783441cda103a11c/reports/dfd0f649-384c-4dc4-aa2a-fb5f99917d43/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74a97c38-b751-432a-814d-b31d4eba0eac
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024095
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 656586 Sample: CPSPM_328850_12656860179_pdf.exe Startdate: 04/07/2022 Architecture: WINDOWS Score: 100 45 config.linkpc.net 2->45 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 12 other signatures 2->61 8 CPSPM_328850_12656860179_pdf.exe 1 9 2->8         started        12 taskeng.exe 1 2->12         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\tOzYewoc.exe, PE32 8->37 dropped 39 C:\Users\...\tOzYewoc.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmpB24F.tmp, XML 8->41 dropped 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 8->67 69 2 other signatures 8->69 14 CPSPM_328850_12656860179_pdf.exe 10 8->14         started        19 powershell.exe 6 8->19         started        21 schtasks.exe 8->21         started        25 3 other processes 8->25 23 CPSPM_328850_12656860179_pdf.exe 2 12->23         started        signatures6 process7 dnsIp8 47 config.linkpc.net 188.127.231.93, 3425, 49173, 49174 DHUBRU Russian Federation 14->47 43 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 14->43 dropped 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->49 27 schtasks.exe 14->27         started        51 Adds a directory exclusion to Windows Defender 23->51 53 Injects a PE file into a foreign processes 23->53 29 powershell.exe 7 23->29         started        31 schtasks.exe 23->31         started        33 CPSPM_328850_12656860179_pdf.exe 23->33         started        35 CPSPM_328850_12656860179_pdf.exe 23->35         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0289b5c2829170ad4bb04daedbd3db5e56474415aee109a91a66ba9fa8a7a179/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-04 08:50:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ake3lqucsfyk2s5qjwxnxu63lzleoravv3qqtki2m25j7kfhuf4q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220704-l83v2agdcn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
config.linkpc.net:3425
Unpacked files
SH256 hash:
2793508855f2d8a2d5e7d09c8345d8df64c3b163bee2be7ebc311cf9efd1fdd5
MD5 hash:
7bb92dde731769df891a6adfac2fad5e
SHA1 hash:
e179e5c51454a7e74514bc0d691eb28b313ad5ed
Link:
https://www.unpac.me/results/f4e5d160-6b13-4d6f-bf67-43480e430736/
SH256 hash:
574b7c3c6c0b776483248201328a286f9454dad372fc0ef59725b0bf1c047731
MD5 hash:
0d005aa5affaac04ef4f6835bda78a5b
SHA1 hash:
b58edea6032b7277d3e0694b0697bef601be40e3
Link:
https://www.unpac.me/results/f4e5d160-6b13-4d6f-bf67-43480e430736/
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/f4e5d160-6b13-4d6f-bf67-43480e430736/
SH256 hash:
b968535e09c5c69854530e0f1b4e62e29bcc8b179cd65648fb25ea2208c97229
MD5 hash:
8206506f141f28692bf78e2c99f184aa
SHA1 hash:
9259ca99f69d548bad64a19e67154c1dd0aab565
Link:
https://www.unpac.me/results/f4e5d160-6b13-4d6f-bf67-43480e430736/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/f4e5d160-6b13-4d6f-bf67-43480e430736/
SH256 hash:
243695e7081c87c1a14cfef0f89b75bd326edef6e651ef8b124fa8052dbee7a3
MD5 hash:
617a5e683eb9f142139a860b9fb84959
SHA1 hash:
49e92c99c8b0777dc93ec4f3b13fdc6de99e80b0
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/f4e5d160-6b13-4d6f-bf67-43480e430736/
Parent samples :
243695e7081c87c1a14cfef0f89b75bd326edef6e651ef8b124fa8052dbee7a3
21281c48dd7beeb19d22aef27f4d77f79c550fc32acc69d4c3b91966cc8a048b
02558d43b82050ac649bd7eff62a663dd98d141033f6cca56bc99bc811a059b8
0289b5c2829170ad4bb04daedbd3db5e56474415aee109a91a66ba9fa8a7a179
999c19bb669363e626ff41024ebe756e82a200fd874f8099dfbf8776360ccba2
0090148371c3a92d98212cda20209ca8d7b4e50c0c7829e6d17501d85c826743
c7e6e4337c88f196926b8833aac8b3c9b1759b657128da161ec2d279f1ef613e
SH256 hash:
0289b5c2829170ad4bb04daedbd3db5e56474415aee109a91a66ba9fa8a7a179
MD5 hash:
a1cae12bf28fe87a4ac72a07ba8ee588
SHA1 hash:
7b50eced7533928bb4c6ea832b870321eb7511fd
Link:
https://www.unpac.me/results/f4e5d160-6b13-4d6f-bf67-43480e430736/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0289b5c28291/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments