MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d7e87634d90e0042e752f4f9e03446a060469605aa0f0dd059f52f71d16a1cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d7e87634d90e0042e752f4f9e03446a060469605aa0f0dd059f52f71d16a1cd
SHA3-384 hash: 006d85e1267522ddf95c01d0243521c916bf91db264fb020997bc43b7caade89c0a7517f09fb0b0bb2842931e4440cf0
SHA1 hash: 687b6ea86e38bfeded519c6a0045ec9e532ac7ba
MD5 hash: 092ac9e3584c14d11466104765e66c35
humanhash: pennsylvania-mexico-tennis-hamper
File name:Ref-2021D-1227-0418.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:342'016 bytes
First seen:2021-12-27 05:47:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:1ema6bKbKOfxbUGWmAJ+oOUOI1pFraen+fwo+O35/AY:wma6GbKOfpURmAJ+oO7IfgenakcyY
Threatray 2'771 similar samples on MalwareBazaar
TLSH T19574CF49468483B7C12B74B40043601CDDF5F9A2D362C2D9FF4FA298C63BB92AB57A95
File icon (PE):PE icon
dhash icon c89c98acacacbcac (31 x Loki, 23 x AgentTesla, 22 x AveMariaRAT)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
89.238.150.43:5512

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
89.238.150.43:5512 https://threatfox.abuse.ch/ioc/279263/

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ref-2021D-1227-0418.exe
Verdict:
Malicious activity
Analysis date:
2021-12-27 11:47:38 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/d8634478-9296-4d98-a88e-49ab3c4db75b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216494/
Detection(s):
Win.Dropper.Smdd-6956905-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Running batch commands
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61c953954ab5c44cbf53034e/reports/f5ced222-ac99-4ada-9d8c-65c993b95748/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78386651-6e3e-48bc-a484-e4f69277c4b0
Result
Threat name:
AgentTesla AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913023
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545501 Sample: Ref-2021D-1227-0418.exe Startdate: 27/12/2021 Architecture: WINDOWS Score: 100 90 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->90 92 Found malware configuration 2->92 94 Antivirus detection for dropped file 2->94 96 14 other signatures 2->96 10 mozille.exe 5 2->10         started        13 Ref-2021D-1227-0418.exe 6 2->13         started        process3 file4 102 Multi AV Scanner detection for dropped file 10->102 104 Machine Learning detection for dropped file 10->104 106 Injects a PE file into a foreign processes 10->106 16 mozille.exe 10->16         started        21 schtasks.exe 10->21         started        80 C:\Users\user\AppData\Roaming\JmIzkSDRK.exe, PE32 13->80 dropped 82 C:\Users\user\AppData\Local\...\tmpE9A3.tmp, XML 13->82 dropped 84 C:\Users\user\...\Ref-2021D-1227-0418.exe.log, ASCII 13->84 dropped 108 Uses schtasks.exe or at.exe to add and modify task schedules 13->108 23 Ref-2021D-1227-0418.exe 6 13->23         started        25 schtasks.exe 1 13->25         started        signatures5 process6 dnsIp7 86 89.238.150.43, 49745, 49763, 49772 M247GB United Kingdom 16->86 88 192.168.2.1 unknown unknown 16->88 74 C:\Users\user\AppData\Local\Temp\ikqmfs.exe, PE32 16->74 dropped 76 C:\Users\user\AppData\Local\Temp\fxkvbw.exe, PE32 16->76 dropped 98 Tries to harvest and steal browser information (history, passwords, etc) 16->98 27 cmd.exe 16->27         started        30 cmd.exe 16->30         started        32 conhost.exe 21->32         started        78 C:\Users\user\AppData\Local\...\mozille.exe, PE32 23->78 dropped 34 cmd.exe 1 23->34         started        36 cmd.exe 1 23->36         started        38 svchost.exe 23->38         started        40 conhost.exe 25->40         started        file8 signatures9 process10 signatures11 110 Suspicious powershell command line found 27->110 42 powershell.exe 27->42         started        44 conhost.exe 27->44         started        46 conhost.exe 30->46         started        48 powershell.exe 30->48         started        112 Bypasses PowerShell execution policy 34->112 50 conhost.exe 34->50         started        52 schtasks.exe 1 34->52         started        54 mozille.exe 4 36->54         started        57 conhost.exe 36->57         started        59 timeout.exe 1 36->59         started        process12 signatures13 61 ikqmfs.exe 42->61         started        100 Injects a PE file into a foreign processes 54->100 64 schtasks.exe 54->64         started        66 mozille.exe 54->66         started        68 mozille.exe 54->68         started        process14 signatures15 114 Antivirus detection for dropped file 61->114 116 Machine Learning detection for dropped file 61->116 70 ikqmfs.exe 61->70         started        72 conhost.exe 64->72         started        process16
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0d7e87634d90e0042e752f4f9e03446a060469605aa0f0dd059f52f71d16a1cd/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2021-12-27 05:08:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bv7ioy2nsdqailtvf5hz4a2enidai2lalkqpbxift5jpohiwuhgq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff
NanoCore
0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d
NanoCore
1299373ec40fc1f3f16957338574a9ad51a94e62220cc8c08f1ad81dee443544
NanoCore
16fc0cec13d88da3d0a36e4c42e733db8f1e21cafc18fd813a25cd0bc835f35a
NanoCore
1b7d7515f98891cf08164a7469bb9c9f3133e7834cfe99d55094594ca330e982
NanoCore
213528a5164fcb5253010129aac3855b4b905c9c5a9514a2a2b9db7e2b592a73
NanoCore
438e8f8d626ca18bb5fbd3499cad058033b199c865badba6415e362d5b8dcd49
NanoCore
bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de
NanoCore
ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611
NanoCore
ecb8839117d73d33390c84f7f6e02f4970156ccb2da7b48083922f60625fa8be
NanoCore
+ 2'761 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat spyware stealer
Link:
https://tria.ge/reports/211227-ghfwcsccb5/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
89.238.150.43:5512
Unpacked files
SH256 hash:
558898772f19dae7cef455f8ee36b40fa34e1af5b4de54b869e43a499f8d7c2c
MD5 hash:
237dd934ec49dc6371260dfd074341fd
SHA1 hash:
917d992fb612e3ec3b59cbcf4d0bf483f97e0d83
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/f1066ec1-e17b-4e88-85b2-e58c75b93b45/
Parent samples :
0d7e87634d90e0042e752f4f9e03446a060469605aa0f0dd059f52f71d16a1cd
7b6394aea669466dccc9fdb61c99a3952e936be30a9187da8198f88974e5cae6
b586ca95ba9557f7ad2434d01f96ff191b77541670894df3b78aa3a8312ae092
SH256 hash:
75c1a57d1f97d1d42424c8a5ca499a33002ae2b772bd6bceb006140a3084fc2c
MD5 hash:
4ccfc2e85ff615e849fea767f0fb0c82
SHA1 hash:
782caa710a3a00490f68a392f451383b5c01b236
Link:
https://www.unpac.me/results/f1066ec1-e17b-4e88-85b2-e58c75b93b45/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/f1066ec1-e17b-4e88-85b2-e58c75b93b45/
SH256 hash:
0d7e87634d90e0042e752f4f9e03446a060469605aa0f0dd059f52f71d16a1cd
MD5 hash:
092ac9e3584c14d11466104765e66c35
SHA1 hash:
687b6ea86e38bfeded519c6a0045ec9e532ac7ba
Link:
https://www.unpac.me/results/f1066ec1-e17b-4e88-85b2-e58c75b93b45/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d7e87634d90e0042e752f4f9e03446a060469605aa0f0dd059f52f71d16a1cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216494/

Comments