MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 17

Intelligence 17 IOCs YARA File information Comments

SHA256 hash:	0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331
SHA3-384 hash:	87dfdba7190166a4a68a6ad3e23320e67e66b2636c1097d0e9f613ac86aa5ea45b6503321a1b7d549b3dc799120feece
SHA1 hash:	318fdcf5ba0a326bf6601e1f917f9aa16645d9ca
MD5 hash:	6c432a8b26bc0e068f23e88f69c0f565
humanhash:	july-march-autumn-virginia
File name:	NA.exe
Download:	download sample
File size:	775'680 bytes
First seen:	2023-06-04 15:37:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:faNp9CFWv60PaT5zePZMjFkA1pniuSwgsAaQWKYt9VRd4li8i+3UQXGLPSPr3FbV:SNp9CFEa4RMjFhThyaJj+N66z3F8+sW
Threatray	42 similar samples on MalwareBazaar
TLSH	T151F42226BB93C772D90595B050B3051183F5D38A7637CA5B2D98A2DB0E673A0FF4AB4C
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	ULTRAFRAUD
Tags:	exe NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

Vendor Threat Intelligence

Malware family:

nanocore

ID:

File name:

NA.exe

Verdict:

Malicious activity

Analysis date:

2023-06-04 15:38:12 UTC

Tags:

nanocore

Link:

https://app.any.run/tasks/2b586ab2-5608-406b-9357-9d16cbafad4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/395559/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.85259.25820.5447.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

DNS request

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/647cafdb267edef80b336936/reports/3d2320cb-4e98-44c5-b61e-b27e270d315b/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NanoCoreRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cd480796-eed1-4815-b31f-33adb971d398

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1248384

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331/

Threat name:

Win64.Trojan.Casdet

Status:

Malicious

First seen:

2023-06-04 15:38:04 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

20 of 37 (54.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bnjfvkqf4idclduotdyf7tdcdigi2tpwse4jocqui7sx2fl4mmyq._file

Verdict:

malicious

178779707d05b33dfe4e6e74b1738321457d3e9a65e017a76ce049da6010610d

1df360694e4b54909b416b5ef5095e54827c8e53d77885032df144272508f013

2db7ec061ff333283fa8b257cb8195f424b47bea05f18e2f04fdfa12de6fdb57

4c79b49a203edd1e36c026cb9751a805831703b01a0447361afcfe8db9707c82

622735f3c745567f645eed34be6cb762ce33ebe3db431af27f907575f1f05ac6

7d68d0c59a97ebb368a2db5ebb2d4f09b804b96e9d638d879c774066920a8451

ace418ee7124a0984399f63959bfd35999ba1ffea76ebb052097a11ce8a1d2df

eb685dd1d389b0348a059dbc4f8fc07dbccdabae3bf3c2e26f7dce6085da57cc

+ 32 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/230604-s22gysce96/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

NanoCore

Malware Config

C2 Extraction:

ezemnia3.ddns.net:62335
91.193.75.178:62335

Unpacked files

SH256 hash:

0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331

MD5 hash:

6c432a8b26bc0e068f23e88f69c0f565

SHA1 hash:

318fdcf5ba0a326bf6601e1f917f9aa16645d9ca

Link:

https://www.unpac.me/results/d8d96c7e-4869-4588-b118-5497f850cd03/

Malware family:

NanoCore

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0b525aaa05e2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/395559/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample