MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15e77ee21814be81b2582c1282c6a6156e2845998bd9920c5140253f41c038bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15e77ee21814be81b2582c1282c6a6156e2845998bd9920c5140253f41c038bb
SHA3-384 hash: 305f2511457e122ad9b4452b8b3e07813e0ea1ee364f8a2e95dffe97570cc86c086fa4360e165fda1e86be71abe12e27
SHA1 hash: f6c58154b6d3084bee25bfcdb09e95b286e0063b
MD5 hash: 0540091eb7c81ba036b9eb3cac4d49c2
humanhash: high-cat-green-arkansas
File name:0540091eb7c81ba036b9eb3cac4d49c2.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'007'104 bytes
First seen:2022-07-25 05:51:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:xgmNl0zd9NXJGpuWgQTqW7TjrLan8snnxWNhwaQSeZU:xgOl0zd9N5RWqW3XLan8eFPu
Threatray 4'532 similar samples on MalwareBazaar
TLSH T14425E096B5964A02D8290FB2C8F64C0403B36E9ABC75F70F6DD5B2961B733C74582B1B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 696c4c2d4d69586c (1 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
185.140.53.69:30507

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.69:30507 https://threatfox.abuse.ch/ioc/839416/

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/293875/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44341.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/62de2ffda2f481deb9651271/reports/6fc1fb82-40fd-4f59-aa0e-8ab059e0e804/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d87d70fc-08e3-4cf0-874e-2ab92ce4f18e
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040143
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 672637 Sample: XmKeaMRPzV.exe Startdate: 25/07/2022 Architecture: WINDOWS Score: 100 77 Snort IDS alert for network traffic 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for URL or domain 2->81 83 13 other signatures 2->83 8 XmKeaMRPzV.exe 7 2->8         started        12 XmKeaMRPzV.exe 2->12         started        14 dhcpmon.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 65 C:\Users\user\AppData\...\aBIpLLcGLLB.exe, PE32 8->65 dropped 67 C:\Users\...\aBIpLLcGLLB.exe:Zone.Identifier, ASCII 8->67 dropped 69 C:\Users\user\AppData\Local\...\tmpFA96.tmp, XML 8->69 dropped 71 C:\Users\user\AppData\...\XmKeaMRPzV.exe.log, ASCII 8->71 dropped 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->87 89 Uses schtasks.exe or at.exe to add and modify task schedules 8->89 91 Adds a directory exclusion to Windows Defender 8->91 18 XmKeaMRPzV.exe 8->18         started        23 powershell.exe 22 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 8->27         started        93 Injects a PE file into a foreign processes 12->93 29 powershell.exe 12->29         started        31 powershell.exe 12->31         started        33 schtasks.exe 12->33         started        35 XmKeaMRPzV.exe 12->35         started        signatures5 process6 dnsIp7 73 logsresu59.duckdns.org 185.140.53.69, 30507, 49740, 49746 DAVID_CRAIGGG Sweden 18->73 75 192.168.2.1 unknown unknown 18->75 59 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->59 dropped 61 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->61 dropped 63 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->63 dropped 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->85 37 schtasks.exe 18->37         started        39 schtasks.exe 18->39         started        41 UsoClient.exe 18->41         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 31->51         started        53 conhost.exe 33->53         started        file8 signatures9 process10 process11 55 conhost.exe 37->55         started        57 conhost.exe 39->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15e77ee21814be81b2582c1282c6a6156e2845998bd9920c5140253f41c038bb/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-22 13:51:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
53
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxtx5yqycs7idmsyfqjifrvgcvxcqrmzrpmzedcriast6qoahc5q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
21281c48dd7beeb19d22aef27f4d77f79c550fc32acc69d4c3b91966cc8a048b
NanoCore
3958c096f9bae8e96033422b4a3a7eaae19b1fbbeb0dec5c131954dd0042d9e9
NanoCore
57fd565bb44788ce8f547cf1f439fb37bbe78944175bbc43ffa4b64156665556
NanoCore
8c8804a51f249b24b1ae1ad4487ed7bddd999f2a38158ef789af1c215559470e
NanoCore
9c997bb5941de96a571243b7621bf577514cdc9818eb79b1116601fc31f3a17b
NanoCore
a0c4f2836d7b935bd927dc9727a0391762ba85f984656e77df325f9c5e8e6db4
NanoCore
a321efcbd0394eade04263fd6498396c3e831ed65aa349c00dbf2b131994e19a
NanoCore
ca016b313c838a1408d683a5628fe02368015c49d057c05ea6de47c46ec28ea5
NanoCore
d6538ca0dc816bcfb3f60df32e6550b91f3bd055af29f02591bcc3523ef921f6
NanoCore
+ 4'522 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220725-gkq44shda7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
logsresu59.duckdns.org:30507
127.0.0.1:30507
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/44b2f66b-2a19-4c61-8c8b-b9d01b446fd0/
SH256 hash:
fc102b7685c9702a12fb111705b28b03809d1de91d0a879ee774466dad9fe7dc
MD5 hash:
f27b210cd5e0f1cb84a88d6c3d246a58
SHA1 hash:
d1f210681f9c5791544ceb9a06fdb0ab2539246e
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/44b2f66b-2a19-4c61-8c8b-b9d01b446fd0/
SH256 hash:
f9067e91bfc082e1ddcb9ebaa3f697fbbcd6a961278cc9babfabce1bc04a3202
MD5 hash:
b38d4072a4937943ad4a9f15ad71d606
SHA1 hash:
b5302235d961cc64caa0fc07988b222ceb902fd4
Link:
https://www.unpac.me/results/44b2f66b-2a19-4c61-8c8b-b9d01b446fd0/
SH256 hash:
f6f90d43116969dd614ea7afeac8e1205d33b3944c76eb7f28e79f3252480e3a
MD5 hash:
6710832b86e21439787d8e38ce62fb32
SHA1 hash:
4bb47c1d08cfbffabd25e6e601a663e0ea3aec7c
Link:
https://www.unpac.me/results/44b2f66b-2a19-4c61-8c8b-b9d01b446fd0/
SH256 hash:
781c78f48dc35cb66432bd1826965cc59fb100d4d12c04432a2c92361f8364c3
MD5 hash:
4bfe50310c7b0dd87da13cc6109f0190
SHA1 hash:
2e3cfcf114927e004ea7788b29e5dc45c5f9e246
Link:
https://www.unpac.me/results/44b2f66b-2a19-4c61-8c8b-b9d01b446fd0/
SH256 hash:
15e77ee21814be81b2582c1282c6a6156e2845998bd9920c5140253f41c038bb
MD5 hash:
0540091eb7c81ba036b9eb3cac4d49c2
SHA1 hash:
f6c58154b6d3084bee25bfcdb09e95b286e0063b
Link:
https://www.unpac.me/results/44b2f66b-2a19-4c61-8c8b-b9d01b446fd0/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15e77ee21814/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15e77ee21814be81b2582c1282c6a6156e2845998bd9920c5140253f41c038bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293875/

Comments