MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22483a99e691a840aaa9718cad03cc07baae6588cb64d7c795f35aaf47a171bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NerbianRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22483a99e691a840aaa9718cad03cc07baae6588cb64d7c795f35aaf47a171bc
SHA3-384 hash: 7346d648454c63fc822ddad7bc17de4d6c87da028eda76c4cc47d42397b6814342b6bd67716545823ba25a2e705370fd
SHA1 hash: 195dc4f80cbd94fec6b10fb6602776f30a743fe7
MD5 hash: 27b68b6b41189585748daeb0de03928a
humanhash: green-nine-fish-red
File name:22483a99e691a840aaa9718cad03cc07baae6588cb64d7c795f35aaf47a171bc
Download: download sample
Signature NerbianRAT
Create hunting rule
File size:858'112 bytes
First seen:2022-06-24 20:37:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (237 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 12288:72r7pNqs9Ukq9ASKqPS1lmgH5nfI4f6Ayn7VpplZdAXzjq2uFbPBHy/bo/:72N9UkSx1kRnfVf6AOr7vzVyy
Threatray 96 similar samples on MalwareBazaar
TLSH T11B0512A97168C89FD4AE2EB58E45F769A2207C702C8C5C823D993E1D34F4296341DBFD
TrID 86.3% (.EXE) UPX compressed Win64 Executable (70117/5/12)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
2.4% (.EXE) Generic Win/DOS Executable (2002/3)
2.4% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d0d2d2b0a8f018 (8 x SnakeKeylogger, 1 x NerbianRAT, 1 x AgentTesla)
Reporter Anonymous
Tags:exe NerbianRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283163/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
khalesi packed trickbot wacatac
Link:
https://www.filescan.io/uploads/62b620ad62d792dc57427cd2/reports/296e41b1-adec-45f1-8cb4-fe9d8015e773/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Nerbian RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53785287-4625-4e65-b0b5-1d6e138e83b1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1019587
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contain functionality to detect virtual machines
Drops PE files to the user root directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22483a99e691a840aaa9718cad03cc07baae6588cb64d7c795f35aaf47a171bc/
Threat name:
Win64.Trojan.Khalesi
Create hunting rule
Status:
Malicious
First seen:
2022-06-02 03:06:46 UTC
File Type:
PE+ (Exe)
Extracted files:
37
AV detection:
12 of 41 (29.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejedvgpgsguebkvjoggk2a6ma65k4zmiznsnpr4v6nnk6r5bog6a._file
Verdict:
suspicious
Similar samples:
1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
NerbianRAT
47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
NerbianRAT
89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b
NerbianRAT
eba2f0afd491ee595cd6908494e9e2a2115ed71c053c6d7b94970f1985830ada
NerbianRAT
+ 86 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/220624-zepm7seffr/
Behaviour
Suspicious behavior: EnumeratesProcesses
UPX packed file
Unpacked files
SH256 hash:
22483a99e691a840aaa9718cad03cc07baae6588cb64d7c795f35aaf47a171bc
MD5 hash:
27b68b6b41189585748daeb0de03928a
SHA1 hash:
195dc4f80cbd94fec6b10fb6602776f30a743fe7
Link:
https://www.unpac.me/results/b0cb7350-b451-4c47-803a-e07b742f726a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.24
Link:
https://yomi.yoroi.company/submissions/22483a99e691a840aaa9718cad03cc07baae6588cb64d7c795f35aaf47a171bc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283163/

Comments