MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
NanoCore
Vendor detections: 14
| SHA256 hash: | 1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9 |
|---|---|
| SHA3-384 hash: | 42ea42c7775b0e31c99bfc1560c147815f4341069d86e725a37dcbad79149e3edf562b085e6b39999f1eebee09824d07 |
| SHA1 hash: | 393c9b6041a761dd91c7919b3330e51d0666d60f |
| MD5 hash: | 78bb9c6428aa60d398e4889b0f38d002 |
| humanhash: | whiskey-river-double-whiskey |
| File name: | SecuriteInfo.com.W32.AIDetectNet.01.20070.29512 |
| Download: | download sample |
| Signature | NanoCore |
| File size: | 733'184 bytes |
| First seen: | 2022-08-15 05:30:16 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:SMWM2TgBVKAy15TjcJMGPzzLXdO/YRl1flMvcn3lWbywXZb6Fmki9bF3Tw7:SMAgBVLy7/cJ1zzjc/sllxwpbMk3 |
| Threatray | 4'466 similar samples on MalwareBazaar |
| TLSH | T127F4D0EF6DCC5605CD7A07B4ECEC00846BF2BDA53616D6DE6CA3309AC47239C8658E16 |
| TrID | 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | 71f0c8cce8e0f071 (10 x FormBook, 7 x AgentTesla, 6 x Loki) |
| Reporter |  SecuriteInfoCom |
| Tags: | exe NanoCore |
Intelligence
File Origin
# of uploads :
1
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.20070.29512
Verdict:
Malicious activity
Analysis date:
2022-08-15 05:34:49 UTC
Tags:
trojan nanocore rat
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Verdict:
Malicious
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Detection:
nanocore
Threat name:
ByteCode-MSIL.Trojan.Leonem
Status:
Malicious
First seen:
2022-08-15 00:56:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
50
AV detection:
21 of 26 (80.77%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
nanocorerat
njrat
Similar samples:
+ 4'456 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Score:
10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
brewsterchristophe.ddns.net:5899
194,147,5,75:5899
194,147,5,75:5899
Unpacked files
SH256 hash:
2eb151d972515726d2e8c7d9e8312b7568da015b308d89539b68edd9b1efaa0c
MD5 hash:
98880ce3b66a55825eab46af69d3a22d
SHA1 hash:
b9d3ef8bfc75d76b2ec6a6aa2cb6b4fd25c35c2a
SH256 hash:
c6935368998dfd437e510319250d09c021b566540e37decf3aeac14484aee29e
MD5 hash:
c09e8415b576bc6122a52c4bf0265770
SHA1 hash:
8a358808413243ad449ecd01dcb4be807c20f58e
SH256 hash:
1705f8964f5c236633462fd39a5014dab266d579d4c6eefb65ac1ce95e22c552
MD5 hash:
23e4d54d6d369f1cef788806c92f512a
SHA1 hash:
274d8ceb73e8ed7661451c8aba24cecd830cd302
Detections:
win_nanocore_w0
Parent samples :
a321efcbd0394eade04263fd6498396c3e831ed65aa349c00dbf2b131994e19a
57fd565bb44788ce8f547cf1f439fb37bbe78944175bbc43ffa4b64156665556
c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6
8c8804a51f249b24b1ae1ad4487ed7bddd999f2a38158ef789af1c215559470e
d6538ca0dc816bcfb3f60df32e6550b91f3bd055af29f02591bcc3523ef921f6
78a74ab5a966c5040df4bb1b1a08a3bfa7d947aaee7e926b52a20186ed7f7158
64fb8789e8e0fb9c082c2999538a5dec7de3d0f722db0e95024134cce9a6d3d0
449055658e47e349dc4bb4e3c0adb81350033e687379f97237c6c80d6f1cb228
6b9c180d50ea0534d74fa091c19e53e40d98362cf4cc89519a65f328a701c6d4
0c8a003199b0dad7f78d98264132563b69b9dc7db94070f8f4e3a8d772ba31e8
b80b496fbcd8fdc4e6bc183162a25e530bf8b2ed8b8adf5ea1285159527942e2
1521a38b6aae5d1956ed09556fd9f6aa20b14d56e10232425aba7289b6d8bae5
c8f0e0c3a2fdc30c0bdb9981d9351b645991582db1a3f13858b180d9fe336694
1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9
fadc03fc007070883778ae79c131e4c7b32e4fd9bcfce160471c2562c1a1fffb
b2b9d072b9292b91cb1b06073976e14ad1b2ae058b9c0d8b501105aca2881599
8a3d4a0f0802ea706906f866136b5e9544209d2e11e5c8b807a0a1a4dc378adb
13b4310ab48353c03081863aed798e98bd052f34a185deec31cc53fb8581400b
6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c
46d47ddb45405f4df17bb8257f53cc4136224e7869f870c1e6fcc34a81a28c4a
301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84
092800cb5a3d6b797e42f69f02c7247a85c87f5c9cf42811401d37dd8d1f7333
f7855a902d3593167f12ec67e73d286537596ce14aba2c890cfcfac016f4d564
b49ae429c9b3e4e9e59823d44795b16fc7184e5d18d9c7a1b7f70e11ee6c4400
6c29578e601488f2515975c4d31bd6a5042da0578d9eef2db6801bffba10cf23
3dddb479a1240c5cfdc2636cdd8bc0ecd3d2e9da37a6b4d73e206a768cc24181
6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27
5f203844e8cb82ad24fcef815c4fcb03fa14789663e8fa83b459e6f1f1852f27
f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425
a509158e1105757bec0ff3f7dd621360d0acb1f17271841c19dab776004cd17e
f2d01738489cb69458555f6fe64ba65e0ed7fe444f2eb04ad71c968ded40d48c
9d3daf108dbb469968ba5f3bacd9a629c274f00d74eba9569d59609242700349
bafacce7e32e02ec671933a99bdb31c65addf24813422f50f0a5879637210255
2c49d57864b4be1f8b2907b78e963abc931333d98ad1653be2a9826f412500fb
5f33488d404030c908ce3cc6a99867d2ccd697e2d67a5e02d23fe73b45f7e2a0
982d20cce7e6458f1b964b36efef0c7245bd155962c04b08e02323c9efc60f3b
2777c2ab1358ff442a0744634600581a71c0ea57b983437aaf1b2b184e249c3e
70a17ce04f4103804cdcb27e36235a89ba45561e5a477da5dc1a5e6f604d0ea7
a89892d742a7c1c0e63d3606d9e4764a8f6318dbbc58c2a2f14963fb47c380a8
09bb497c378ed884983055338dce20e8db38ed9b966da929b0f1d5d646a52808
57fd565bb44788ce8f547cf1f439fb37bbe78944175bbc43ffa4b64156665556
c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6
8c8804a51f249b24b1ae1ad4487ed7bddd999f2a38158ef789af1c215559470e
d6538ca0dc816bcfb3f60df32e6550b91f3bd055af29f02591bcc3523ef921f6
78a74ab5a966c5040df4bb1b1a08a3bfa7d947aaee7e926b52a20186ed7f7158
64fb8789e8e0fb9c082c2999538a5dec7de3d0f722db0e95024134cce9a6d3d0
449055658e47e349dc4bb4e3c0adb81350033e687379f97237c6c80d6f1cb228
6b9c180d50ea0534d74fa091c19e53e40d98362cf4cc89519a65f328a701c6d4
0c8a003199b0dad7f78d98264132563b69b9dc7db94070f8f4e3a8d772ba31e8
b80b496fbcd8fdc4e6bc183162a25e530bf8b2ed8b8adf5ea1285159527942e2
1521a38b6aae5d1956ed09556fd9f6aa20b14d56e10232425aba7289b6d8bae5
c8f0e0c3a2fdc30c0bdb9981d9351b645991582db1a3f13858b180d9fe336694
1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9
fadc03fc007070883778ae79c131e4c7b32e4fd9bcfce160471c2562c1a1fffb
b2b9d072b9292b91cb1b06073976e14ad1b2ae058b9c0d8b501105aca2881599
8a3d4a0f0802ea706906f866136b5e9544209d2e11e5c8b807a0a1a4dc378adb
13b4310ab48353c03081863aed798e98bd052f34a185deec31cc53fb8581400b
6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c
46d47ddb45405f4df17bb8257f53cc4136224e7869f870c1e6fcc34a81a28c4a
301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84
092800cb5a3d6b797e42f69f02c7247a85c87f5c9cf42811401d37dd8d1f7333
f7855a902d3593167f12ec67e73d286537596ce14aba2c890cfcfac016f4d564
b49ae429c9b3e4e9e59823d44795b16fc7184e5d18d9c7a1b7f70e11ee6c4400
6c29578e601488f2515975c4d31bd6a5042da0578d9eef2db6801bffba10cf23
3dddb479a1240c5cfdc2636cdd8bc0ecd3d2e9da37a6b4d73e206a768cc24181
6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27
5f203844e8cb82ad24fcef815c4fcb03fa14789663e8fa83b459e6f1f1852f27
f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425
a509158e1105757bec0ff3f7dd621360d0acb1f17271841c19dab776004cd17e
f2d01738489cb69458555f6fe64ba65e0ed7fe444f2eb04ad71c968ded40d48c
9d3daf108dbb469968ba5f3bacd9a629c274f00d74eba9569d59609242700349
bafacce7e32e02ec671933a99bdb31c65addf24813422f50f0a5879637210255
2c49d57864b4be1f8b2907b78e963abc931333d98ad1653be2a9826f412500fb
5f33488d404030c908ce3cc6a99867d2ccd697e2d67a5e02d23fe73b45f7e2a0
982d20cce7e6458f1b964b36efef0c7245bd155962c04b08e02323c9efc60f3b
2777c2ab1358ff442a0744634600581a71c0ea57b983437aaf1b2b184e249c3e
70a17ce04f4103804cdcb27e36235a89ba45561e5a477da5dc1a5e6f604d0ea7
a89892d742a7c1c0e63d3606d9e4764a8f6318dbbc58c2a2f14963fb47c380a8
09bb497c378ed884983055338dce20e8db38ed9b966da929b0f1d5d646a52808
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
SH256 hash:
1b72d49a5e3db7a7a157408ac93240c7e0316ed7f6ddd10befc1af7e4bf7f68c
MD5 hash:
9c1436a35d82492bd09b6d65e4eaf94a
SHA1 hash:
2177711310aef753f821b881a4ee7f64f3bc9ef8
SH256 hash:
1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9
MD5 hash:
78bb9c6428aa60d398e4889b0f38d002
SHA1 hash:
393c9b6041a761dd91c7919b3330e51d0666d60f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.