MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1255663f8fbbb4454bc52f2d80bc61ea4b333e3f816272dd3f5efd91f1cf3235. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	1255663f8fbbb4454bc52f2d80bc61ea4b333e3f816272dd3f5efd91f1cf3235
SHA3-384 hash:	68bbaa3fb5dcae9bb975040c9fbd5fe5dd7740947533f9c693cc8c0259c1a7ef1c9d2b21296dbd700a8fd36bee6b2ceb
SHA1 hash:	8660a8d6624cb9552f215808e6fd62dad7e5e146
MD5 hash:	801bf8ada5a58fd5e27314d170d3936d
humanhash:	tennessee-eight-double-don
File name:	801bf8ada5a58fd5e27314d170d3936d.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	719'360 bytes
First seen:	2022-08-15 16:07:52 UTC
Last seen:	2022-08-15 16:49:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'598 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:z4M2TgyBgDtpT2coTXvMa7Rm8xYoWBvLaPjnPdBCqe2Fmki9bF:GgyBWzho7Nm8xAvLmjzH7k
TLSH	T1B3E4DFAF2E9C5616CC7507B4ECAD1180ABF27DA13612E2DE5CA370D6C4B239C4798E17
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe NanoCore RAT

Intelligence

File Origin

# of uploads :

# of downloads :

353

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

nanocore

ID:

File name:

801bf8ada5a58fd5e27314d170d3936d.exe

Verdict:

Malicious activity

Analysis date:

2022-08-15 16:15:08 UTC

Tags:

trojan nanocore rat

Link:

https://app.any.run/tasks/8eb29735-9854-4881-a651-6516f2d5d6ce

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/298769/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1449.30120.3759.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62fa6fae080024921b7b5098/reports/b5c8fb6d-053f-4ebc-8bce-6a11a64066a5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NanoCoreRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b3102772-2e1e-4c55-84c7-27d25f724725

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1051690

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/1255663f8fbbb4454bc52f2d80bc61ea4b333e3f816272dd3f5efd91f1cf3235/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-08-15 10:57:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cjkwmp4pxo2eks6ff4wybpdb5jftgpr7qfrhfxj7l36zd4opgi2q._file

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/220815-tk8qdachck/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

jasonbourne.bounceme.net:4032
127.0.0.1:4032

Unpacked files

SH256 hash:

d473c692413e3c55aaf0dfe2c9f41111a94c197f9a64f502e9cf91acbf6baefb

MD5 hash:

5917fbfd1785276c51418ea1c8664d74

SHA1 hash:

bc62d76c3ec31af28fb2d26e50c908ad68a67d35

Link:

https://www.unpac.me/results/773224d2-c211-460c-8322-f8f160f9d2ba/

SH256 hash:

c1244b6f8b4593ccd708d8a8bae80016b90f6b1e7a11db924d3ebe5e7d93c3c9

MD5 hash:

c8fdd8da7febb5e7507b01f37808dadc

SHA1 hash:

b00cb28e7bb2b1a5c42a490bdd644af3dafabf30

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/773224d2-c211-460c-8322-f8f160f9d2ba/

Parent samples :

d404c5c21e05bc1d59b88190b7d156d33788a7c6041b03dd7b2ed69019c880d1
4e8ac31a9398a014baf30bab2e812e388a57fb30d65f72fccb3b2d1663d2010b
a6612f9f8d59916b3cad6b6feafbafe478373b63f94a2ba316e659db22effa75
2d44e2456bba829eced7c4ea8af67a1f826e199a12c5f4f0aa748148f45e4d67
0e452f1a29c4454498ca8ba5ebecb50d9bac6516609050902594a49d8c755718
1255663f8fbbb4454bc52f2d80bc61ea4b333e3f816272dd3f5efd91f1cf3235
d8e48fe772cf45133747514c3922388451f7243f8062d76cdf97c70c50dd21dd
91e42804233e0414668609facbf8c7213a90244cd4764e7d15bef810f56e71e5
a74a1a543982980d4ef3cc3ab37465995147ae0e3e1e806e5b18dea07feedd52
56daa83452fd79c8045ec1fcc463d6578e73c5b66800fdf69142f735b18a4d47
6bbc33a7b99107d0a4ac7f7401dbcf392622be37f6ee80abe438cf6a0de24ac7
77ec85f10b4bd4847f5db6c938547d78c35417c0a5503f1a7bdd4a2594964c95
ef7e5697201c1bf2fb0525850f6061b3496f11d1f2f2145c6f52faf6a733c644
286de23f6df70f2bb2a69976f46f90299e8897e1ec9113ba539ac374632fc9a6
50632d0cc2b173a5f68c0a4893b37f97ce3d73be2dd6c4ea9b2f36e5a0756bdc

SH256 hash:

a656f8caa9ab949cfd776c7e66d915a8f94876d6212ae563c19ec181116adb62

MD5 hash:

8842a0ce1fae7af754bbdc34c0b1cbb9

SHA1 hash:

34100244edaeae474b26cee0ab525dab0304404b

Link:

https://www.unpac.me/results/773224d2-c211-460c-8322-f8f160f9d2ba/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/773224d2-c211-460c-8322-f8f160f9d2ba/

SH256 hash:

1b72d49a5e3db7a7a157408ac93240c7e0316ed7f6ddd10befc1af7e4bf7f68c

MD5 hash:

9c1436a35d82492bd09b6d65e4eaf94a

SHA1 hash:

2177711310aef753f821b881a4ee7f64f3bc9ef8

Link:

https://www.unpac.me/results/773224d2-c211-460c-8322-f8f160f9d2ba/

SH256 hash:

1255663f8fbbb4454bc52f2d80bc61ea4b333e3f816272dd3f5efd91f1cf3235

MD5 hash:

801bf8ada5a58fd5e27314d170d3936d

SHA1 hash:

8660a8d6624cb9552f215808e6fd62dad7e5e146

Link:

https://www.unpac.me/results/773224d2-c211-460c-8322-f8f160f9d2ba/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1255663f8fbbb4454bc52f2d80bc61ea4b333e3f816272dd3f5efd91f1cf3235

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

exe 1255663f8fbbb4454bc52f2d80bc61ea4b333e3f816272dd3f5efd91f1cf3235

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2260834/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/298769/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample