MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04c147559ea23daa59503c0b935c8df2728893ea82211813c8428b630fcd3768. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04c147559ea23daa59503c0b935c8df2728893ea82211813c8428b630fcd3768
SHA3-384 hash: 9b6461eedf06f045168807adb90b961795b021e7b74c842b779f354ac3e0e0f9e8b4904fb6a90a4ae5008c1bdb78eb84
SHA1 hash: e8a2678fde54f56ef016528c8229952c258a765e
MD5 hash: 26f46a281cbd2456c4df54a75007d9ab
humanhash: london-missouri-comet-zulu
File name:26F46A281CBD2456C4DF54A75007D9AB.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:366'080 bytes
First seen:2026-02-19 08:10:09 UTC
Last seen:2026-02-19 08:34:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 6144:tSMPvteRMSiLJ0BG6izC7nWuOBSBiudd5fAylWkfhCXgguVT2UCT8faK5u4zq0P:vPAJiN0k47nUBLu/5fAy5ZCQ/VqU9vrq
Threatray 1'123 similar samples on MalwareBazaar
TLSH T1FC74124F660CB527C6DC88B765F661C4937594EF1903E2AEAA4C32582C42FEB8157F0D
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
192.169.69.25:9900

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.169.69.25:9900 https://threatfox.abuse.ch/ioc/48772/

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
26F46A281CBD2456C4DF54A75007D9AB.exe
Verdict:
Malicious activity
Analysis date:
2026-02-19 08:11:13 UTC
Tags:
nanocore
Link:
https://app.any.run/tasks/c66cb675-7cc6-45d2-b600-261b4a361961

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53777/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader30.50357.25383.14701.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6996c571c950ab5d9aaf4987
Tags:
micro spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 crypt horse krypt nanocore obfuscated packed unsafe
Link:
https://www.filescan.io/uploads/6996c56d9eaae846593c94fb/reports/7d89fd45-4cb2-45dd-8d4f-ac240717e77f/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/04c147559ea23daa59503c0b935c8df2728893ea82211813c8428b630fcd3768
Verdict:
Malicious
File Type:
exe x32
First seen:
2019-12-05T10:10:00Z UTC
Last seen:
2026-02-12T17:52:00Z UTC
Hits:
~1000
Detections:
Trojan.Agent.TCP.ServerRequest Backdoor.NanoBot.TCP.C&C Backdoor.Agent.TCP.C&C Trojan-Banker.Win32.Trickster.sb Trojan.Win32.NanoBot.sb HEUR:Backdoor.MSIL.NanoBot.gen Trojan-PSW.Agensla.TCP.ServerRequest HEUR:Trojan-PSW.MSIL.Agensla.gen HEUR:Trojan.Win32.Generic HEUR:Backdoor.Win32.Generic Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Taskun.sb Backdoor.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/04c147559ea23daa59503c0b935c8df2728893ea82211813c8428b630fcd3768/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43c81a36-2a08-4231-99e4-6a7616fb57a0
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1871679
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Cassandra Crypter
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1871679 Sample: f9adBkUDi6.exe Startdate: 19/02/2026 Architecture: WINDOWS Score: 100 43 shed.dual-low.part-0012.t-0009.t-msedge.net 2->43 45 part-0012.t-0009.t-msedge.net 2->45 47 6 other IPs or domains 2->47 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 12 other signatures 2->67 8 f9adBkUDi6.exe 7 2->8         started        12 saQhmvAK.exe 5 2->12         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\saQhmvAK.exe, PE32 8->33 dropped 35 C:\Users\...\saQhmvAK.exe:Zone.Identifier, ASCII 8->35 dropped 37 C:\Users\user\AppData\Local\...\tmp27DE.tmp, XML 8->37 dropped 39 C:\Users\user\AppData\...\f9adBkUDi6.exe.log, ASCII 8->39 dropped 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 8->71 73 Writes to foreign memory regions 8->73 75 Injects a PE file into a foreign processes 8->75 14 MSBuild.exe 8 8->14         started        19 schtasks.exe 1 8->19         started        21 SgrmBroker.exe 1 8->21         started        77 Antivirus detection for dropped file 12->77 79 Multi AV Scanner detection for dropped file 12->79 81 Allocates memory in foreign processes 12->81 23 MSBuild.exe 3 12->23         started        25 schtasks.exe 1 12->25         started        signatures6 process7 dnsIp8 49 aboki0419.duckdns.org 14->49 51 aboki0419.duckdns.org 192.169.69.25, 49692, 49693, 49694 WOWUS United States 14->51 53 abokijob.hopto.org 14->53 41 C:\Users\user\AppData\Roaming\...\run.dat, data 14->41 dropped 55 Detected Nanocore Rat 14->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->57 27 dw20.exe 20 12 14->27         started        29 conhost.exe 19->29         started        31 conhost.exe 25->31         started        file9 59 Uses dynamic DNS services 49->59 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/04c147559ea23daa59503c0b935c8df2728893ea82211813c8428b630fcd3768
Gathering data
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/04c147559ea23daa59503c0b935c8df2728893ea82211813c8428b630fcd3768/
Verdict:
Malicious
Threat:
Family.NANOCORE
Link:
https://tip.neiki.dev/file/04c147559ea23daa59503c0b935c8df2728893ea82211813c8428b630fcd3768
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2019-12-06 01:55:09 UTC
AV detection:
30 of 41 (73.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=atauovm6ui62uwkqhqfzgxen6jzire7kqiqrqe6iikfwgd6ng5ua._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
unc_loader_065
Create hunting rule
Similar samples:
04c147559ea23daa59503c0b935c8df2728893ea82211813c8428b630fcd3768
NanoCore
1ea022e39cb9cf37fbfdc1f6b2b4cd2dff64793c981312963894ecf2d34587a9
NanoCore
480a1166729945af333cf8a6f5d51a4ed13ac5e4af1487ecea6e87f7aefbf656
NanoCore
ac7c3c0c3906c4d93e34b91fa34941277f044ac26d037c113c9756a4f18619dd
NanoCore
de2aae7cad657545766fd4b88337a5474434c57006e56c149bd2138fe6b035bc
NanoCore
error
NanoCore
f99a35529d49c648c01518eb567398141b2ad7a809f88618c75b6f637cae3926
NanoCore
+ 1'113 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/260219-j2v6hahv9e/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
NanoCore
Nanocore family
Malware Config
C2 Extraction:
aboki0419.duckdns.org:9900
abokijob.hopto.org:9900
Unpacked files
SH256 hash:
04c147559ea23daa59503c0b935c8df2728893ea82211813c8428b630fcd3768
MD5 hash:
26f46a281cbd2456c4df54a75007d9ab
SHA1 hash:
e8a2678fde54f56ef016528c8229952c258a765e
Link:
https://www.unpac.me/results/4afea1b3-50f2-491e-b144-023fca3b9404/
SH256 hash:
dc98979a1f37e90b333470335f3454e54d2d59f2425583569f850885abe4de45
MD5 hash:
c0a4f4be012d54beb70f7b504241ad1c
SHA1 hash:
112ec572b12b7512705dc6d053be432c0858bbdb
Link:
https://www.unpac.me/results/4afea1b3-50f2-491e-b144-023fca3b9404/
SH256 hash:
db2ab518832c246699ea52710128d1c1e4e1affc8577ce887198035f8b9260ba
MD5 hash:
fdbbccc2c72f3a8263f85992ed182104
SHA1 hash:
365082e8270d3e95f526de7733615b82051a034b
Detections:
CyaxSharp_ReZer0
Create hunting rule
INDICATOR_EXE_Packed_Cassandra
Create hunting rule
Link:
https://www.unpac.me/results/4afea1b3-50f2-491e-b144-023fca3b9404/
SH256 hash:
29e932902ad0508f98e7229d4111c8b33d9aa7a28fecff10948db919947ea596
MD5 hash:
7f078ae724e2e0bb12a136502f43638e
SHA1 hash:
f78cdabf260d33c3b701a01dfb900386f72dee46
Detections:
win_nanocore_w0
Create hunting rule
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
Nanocore_RAT_Gen_2
Create hunting rule
Nanocore_RAT_Feb18_1
Create hunting rule
Nanocore
Create hunting rule
MALWARE_Win_NanoCore
Create hunting rule
Link:
https://www.unpac.me/results/4afea1b3-50f2-491e-b144-023fca3b9404/
SH256 hash:
034c06f77c8008d0a1f3e2913223c563de9abbb4090f05c1b174ce5859b1b688
MD5 hash:
f9341d1afd00646048b1d1a7b6048a71
SHA1 hash:
2136dd87042e1891b46d9cd2b64b14d680faad14
Detections:
INDICATOR_EXE_Packed_Cassandra
Create hunting rule
Link:
https://www.unpac.me/results/4afea1b3-50f2-491e-b144-023fca3b9404/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04c147559ea2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04c147559ea23daa59503c0b935c8df2728893ea82211813c8428b630fcd3768

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53777/

Comments