MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1abcc38e288d1e4c36001ae4ee4373d0dfaf32d4feb0710a25ad3c281b6eeaf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1abcc38e288d1e4c36001ae4ee4373d0dfaf32d4feb0710a25ad3c281b6eeaf5
SHA3-384 hash: 0a2920486c7eb7f2090ccd6e9d1e93b5d25d4d07f35cf049f2671fb12d1ec73cd666d41294f7c252533ab9e7b97de17a
SHA1 hash: 9283a86f76ec327345ff66d2ff624fa8c17d5381
MD5 hash: 62b7c0ecb47b68b05081628459e105cc
humanhash: burger-single-oklahoma-winner
File name:62b7c0ecb47b68b05081628459e105cc.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:958'636 bytes
First seen:2022-12-03 05:05:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (866 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:LAOcZXMul6lFaXuuwHi4QYlfC3+speeCjV/YYPhrHGc:NHDj+IC3RhYHGc
Threatray 3'006 similar samples on MalwareBazaar
TLSH T191151202F6CA8972D1B30A719D25BB99AA7C7E601F24DB5F73E4291DC7311902225FB3
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 80009085808696a2 (14 x AgentTesla, 4 x Formbook, 3 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
194.5.98.227:19864

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
62b7c0ecb47b68b05081628459e105cc.exe
Verdict:
Malicious activity
Analysis date:
2022-12-03 05:07:48 UTC
Tags:
trojan rat asyncrat nanocore
Link:
https://app.any.run/tasks/f84ed4e6-6aef-432a-a967-3eca08678a6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/342144/
Detection(s):
Win.Dropper.Formbook-9980027-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/638ad93ba2c2485912c77b6e/reports/6a415f38-2edb-472f-a827-aebd3049f41a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7ca2dcc8-8031-4249-b0f5-0df0e1a6b1b1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126957
Signature
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 759681 Sample: EzDJOCnLKW.exe Startdate: 03/12/2022 Architecture: WINDOWS Score: 100 72 newcracker.duckdns.org 2->72 78 Snort IDS alert for network traffic 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 4 other signatures 2->84 15 EzDJOCnLKW.exe 3 37 2->15         started        18 mbhvcbcosq.exe 1 1 2->18         started        20 mbhvcbcosq.exe 2->20         started        22 mbhvcbcosq.exe 2->22         started        signatures3 process4 file5 68 C:\Users\user\AppData\...\mbhvcbcosq.exe, PE32 15->68 dropped 24 wscript.exe 1 15->24         started        26 wscript.exe 18->26         started        28 wscript.exe 20->28         started        30 wscript.exe 22->30         started        process6 process7 32 mbhvcbcosq.exe 1 4 24->32         started        36 mbhvcbcosq.exe 26->36         started        38 mbhvcbcosq.exe 28->38         started        40 mbhvcbcosq.exe 30->40         started        dnsIp8 70 192.168.2.1 unknown unknown 32->70 74 Antivirus detection for dropped file 32->74 76 Multi AV Scanner detection for dropped file 32->76 42 wscript.exe 1 32->42         started        44 wscript.exe 36->44         started        46 wscript.exe 38->46         started        48 wscript.exe 40->48         started        signatures9 process10 process11 50 mbhvcbcosq.exe 1 42->50         started        52 mbhvcbcosq.exe 44->52         started        54 mbhvcbcosq.exe 46->54         started        process12 56 wscript.exe 50->56         started        58 wscript.exe 52->58         started        process13 60 mbhvcbcosq.exe 56->60         started        process14 62 wscript.exe 60->62         started        process15 64 mbhvcbcosq.exe 62->64         started        process16 66 wscript.exe 64->66         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1abcc38e288d1e4c36001ae4ee4373d0dfaf32d4feb0710a25ad3c281b6eeaf5/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 09:16:22 UTC
File Type:
PE (Exe)
Extracted files:
65
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dk6mhdrirupeynqadlso4q3t2dp26mwu72yhccrfvu6cqg3o5l2q._file
Verdict:
malicious
Similar samples:
4099691b6923caf26f04c475c83d2eabbee3167061cb9d683c67cf36e63b31a9
NanoCore
4ae67a52de5f2bcaea6c9158b4b2dfd3b2953885c34063547b736a4a1096fcb2
NanoCore
6ed9a8b54bcf003ce7c30232c4aec5b6e14dd4722238dd153e8d01a1494eca8f
NanoCore
dc6132f9c63cd966c76790f0761299f92c31684197e40a949c4e1eb9a539bfc8
NanoCore
e15347eeeba6fb5f12440c9c2720d8055747cd973fde267d7e159f40efa62ab5
NanoCore
ea103cc8e05d365c5974be588279338383c416a04cad3ac3f91e44ebf4b22bc5
NanoCore
fd8d1fdc81053818002dd60fb8d7b0d8e37ee984d77760750456e1773c2c0bcc
NanoCore
+ 2'996 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:nanocore botnet:default evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221203-fre5rabd4v/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
NanoCore
Malware Config
C2 Extraction:
mansengco778.ddns.net:8647
newcracker.duckdns.org:8647
newcracker.duckdns.org:19864
mansengco778.ddns.net:19864
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/482aeacf-6b2e-40ca-bb62-4d2015878178
Unpacked files
SH256 hash:
b0fc7096439bfda717219f6b68ceaba51f829cce7e46d7fb5517581439c7d893
MD5 hash:
6aac9010fc33253b5a5650a8dbef810e
SHA1 hash:
ba0eb324673767bd5ce46a2c612ae9a0635eca38
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/6de7fc6f-6e40-4a45-87b6-ad7254606f92/
SH256 hash:
66afc73f0404f16bc17a52310e0a20b9873d545ce0150c707085380e304d5bf2
MD5 hash:
7f1c4da4ccef5444f63116af34bbb438
SHA1 hash:
ef03506eafaaa72cba67796306e688c295565a83
Link:
https://www.unpac.me/results/6de7fc6f-6e40-4a45-87b6-ad7254606f92/
SH256 hash:
1abcc38e288d1e4c36001ae4ee4373d0dfaf32d4feb0710a25ad3c281b6eeaf5
MD5 hash:
62b7c0ecb47b68b05081628459e105cc
SHA1 hash:
9283a86f76ec327345ff66d2ff624fa8c17d5381
Link:
https://www.unpac.me/results/6de7fc6f-6e40-4a45-87b6-ad7254606f92/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1abcc38e288d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1abcc38e288d1e4c36001ae4ee4373d0dfaf32d4feb0710a25ad3c281b6eeaf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/342144/

Comments