MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ec08fa4a70b1518af1c355b3064cc2865fad5d1ac6d7e1b02b042fcd0e9e842. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ec08fa4a70b1518af1c355b3064cc2865fad5d1ac6d7e1b02b042fcd0e9e842
SHA3-384 hash: ed60ad88b0a668c44cd8e31d2ebe6ded8df620d275e3b23bfa182b559f4ee5e4edfaadb0782e8fadceb1e61eff05dc9e
SHA1 hash: 1b102e279128986540956848f25b9303655469af
MD5 hash: 6984b8cb3db2f23249ecda2a35876b93
humanhash: glucose-july-enemy-november
File name:6984b8cb3db2f23249ecda2a35876b93.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:765'440 bytes
First seen:2023-02-18 08:52:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:sqzGPtp+nknBeVM00B1aWthhvkeIWweW6y295gFZjtrER5UxIBeqDSugDs+9t:IknkfTBJthcbeByM5gFFtrERgIkqDSu
TLSH T17CF48C8C84F1EA3EEA898EBD331436081FE05A436B22D5F5E3E5FAC15B36263485D535
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe NanoCore RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
6984b8cb3db2f23249ecda2a35876b93.exe
Verdict:
Malicious activity
Analysis date:
2023-02-18 09:32:19 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/a2c5faf7-9d28-4947-ace5-6960e2ec221e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368037/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1842.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f091f2fb866fb31ede7bfa/reports/66f8abee-3245-4cb8-8ba8-9d1e28ce612d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1ec08fa4a70b1518af1c355b3064cc2865fad5d1ac6d7e1b02b042fcd0e9e842
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eca3c670-0947-48bf-a575-6fee1bd1af15
Result
Threat name:
Nanocore, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1178452
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 811277 Sample: uJ5XW692If.exe Startdate: 18/02/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 12 other signatures 2->57 8 uJ5XW692If.exe 3 2->8         started        12 uJ5XW692If.exe 2 2->12         started        14 dhcpmon.exe 3 2->14         started        16 dhcpmon.exe 2 2->16         started        process3 file4 47 C:\Users\user\AppData\...\uJ5XW692If.exe.log, ASCII 8->47 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 8->61 18 uJ5XW692If.exe 1 15 8->18         started        23 uJ5XW692If.exe 12->23         started        25 uJ5XW692If.exe 12->25         started        27 dhcpmon.exe 2 14->27         started        29 dhcpmon.exe 16->29         started        signatures5 process6 dnsIp7 49 tzitziklishop.ddns.net 45.12.253.26, 1665, 49697, 49698 CMCSUS Germany 18->49 39 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->39 dropped 41 C:\Users\user\AppData\Roaming\...\run.dat, data 18->41 dropped 43 C:\Users\user\AppData\Local\...\tmp5B8F.tmp, XML 18->43 dropped 45 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->45 dropped 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->59 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        file8 signatures9 process10 process11 35 conhost.exe 31->35         started        37 conhost.exe 33->37         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ec08fa4a70b1518af1c355b3064cc2865fad5d1ac6d7e1b02b042fcd0e9e842/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-16 14:33:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 39 (51.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3ai7jfhbmkrrly4gvntazgmfbs7vvorvrwx4gycwbbpzuhj5bba._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230218-ktbbssbb6y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
tzitziklishop.ddns.net:1665
127.0.0.1:1665
Unpacked files
SH256 hash:
b03bc919e4cd52366c41d034b87a4a6a1165f6a916b754eee3085dcf80260e7c
MD5 hash:
6e7032b6a71371e557b4c59bed575587
SHA1 hash:
f5202ada26d4928c80cebf11f0ab4890044b0ae8
Link:
https://www.unpac.me/results/eba072ab-3d59-48bc-bbcd-1e88ad7ac866/
SH256 hash:
7bedc5474e0d554ec7a8a94a67e512ee40d0e86da5592896df2611c0ec0bea07
MD5 hash:
ff3c3ae686dca93ce9697b432be65ba3
SHA1 hash:
687717dce45c9be461a0c172603d9fad9128aa9d
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/eba072ab-3d59-48bc-bbcd-1e88ad7ac866/
Parent samples :
c60ca254cda5e786866913ff68cfe9a24c6b019902639c77e75a8428b0580b1b
60131e4ae461f3fb2c0b931ef05d57eb222aab87ea6f79c60ffb494be8fc5b60
de618fb2a376e986af7a45aa15f4e9bf5a99a0cedd696e99c15210b2e29a673d
7b0363d6a7662590a1f0961e12b51ad869022955fc5afa7fd632e22e421bf753
51ceb018606283762a4b93d5011781581da2d2dc2e2c8e87bc25a59ef9bb3204
bdfc24d604f256170914e2f360d8b6ed30182fe8682fc11aa136dec7a5fb1876
8ecc4898d03bf034a6586ff886d9883b2ac27d08bdfe70dbd9878a4d77d5dce8
3b9b213448c7d1d3b5b9f9c19cdad35e6215af54e1e2e4995a74877f02bf8e0a
80b6578c3790af7fc6b68c26414c3cc693235de382abe5beda6619a5aba92617
ef32ef95268ba5534fdd8e75ef3c5663ffec9db01d9ea0f3a998a5869dc3106e
20b8f049494d33693b252a95fb0a556c5d4edca72144a41da1fc7e789e60b404
c586e4a6c2231c2829ee686488c28be502fea6204d5a2a33238aa1f4ed56e8b2
21c60fcbc947a644af73ca89b387a2cf0e27d8ff54883755893e0fe2e706e46e
1ec08fa4a70b1518af1c355b3064cc2865fad5d1ac6d7e1b02b042fcd0e9e842
56370fb64b05cc316eaa1ab45d3fd48c00f35eb63c2073323d022f413af3c528
0bf755c4d3302be22d4510d7ec0f6f3aef5d01e90e858850cf2c6bf27a601aab
SH256 hash:
adfdfbfd58219f83ad6b0a963798491c646958679269396447c22e6efaef5e72
MD5 hash:
d2a7fe595534cdac579153ede77966c2
SHA1 hash:
57bbdf7e2549a4a8397d22a87ecdef27ecfba0ad
Link:
https://www.unpac.me/results/eba072ab-3d59-48bc-bbcd-1e88ad7ac866/
SH256 hash:
c12d2628d984c0b8071e1daa76812d8eae5cd9a18dd99eac444ba00d38977501
MD5 hash:
ec47f2cc8cb2264f192660aa1c81f96d
SHA1 hash:
50b322aa2022e5570911ceb2ca39aeaeca91e540
Link:
https://www.unpac.me/results/eba072ab-3d59-48bc-bbcd-1e88ad7ac866/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/eba072ab-3d59-48bc-bbcd-1e88ad7ac866/
SH256 hash:
1ec08fa4a70b1518af1c355b3064cc2865fad5d1ac6d7e1b02b042fcd0e9e842
MD5 hash:
6984b8cb3db2f23249ecda2a35876b93
SHA1 hash:
1b102e279128986540956848f25b9303655469af
Link:
https://www.unpac.me/results/eba072ab-3d59-48bc-bbcd-1e88ad7ac866/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ec08fa4a70b1518af1c355b3064cc2865fad5d1ac6d7e1b02b042fcd0e9e842

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 1ec08fa4a70b1518af1c355b3064cc2865fad5d1ac6d7e1b02b042fcd0e9e842

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2262146/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368037/

Comments