MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 263565e9f77b5ee48474855d471315dd56d1bcabe4d037fb380d404b3afcd14e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 263565e9f77b5ee48474855d471315dd56d1bcabe4d037fb380d404b3afcd14e
SHA3-384 hash: 561a89ff1e159214941234ef2fc6b044383464adea2431593a77766a636270fc2075a3eb8da2723191fa0998015cd8b2
SHA1 hash: 16145a9a2d272d7fafe41d1f38704d58d5cb45b6
MD5 hash: 9ca4c4d5ef68fc0cb4942809dbb8d4ff
humanhash: oven-purple-item-island
File name:ACHETS039847.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:892'416 bytes
First seen:2022-02-14 02:30:38 UTC
Last seen:2022-02-14 04:55:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:6l1tqDDDDmLaKYP10LZ//4I5iNPAa0V2EU+//HhhoPY4cDN:wtqDDDDmLaKYP10t//4bT08EUU/HHoQ4
Threatray 4'145 similar samples on MalwareBazaar
TLSH T10F15120EE676A255C9B903B9E05184540BB88A1E9057D77F726F3CC93FA73838A3117B
File icon (PE):PE icon
dhash icon ec78d88000208090 (1 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
185.222.58.111:5355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.222.58.111:5355 https://threatfox.abuse.ch/ioc/387394/

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241222/
Detection(s):
SecuriteInfo.com.Variant.Lazy.60594.22086.7713.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/624b1f6f-4bd3-41be-90b6-dba2ffb44c29
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939064
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 571542 Sample: ACHETS039847.exe Startdate: 14/02/2022 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 9 other signatures 2->54 7 ACHETS039847.exe 7 2->7         started        11 dhcpmon.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\Roaming\JsvjFK.exe, PE32 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmp6317.tmp, XML 7->38 dropped 56 Uses schtasks.exe or at.exe to add and modify task schedules 7->56 58 Adds a directory exclusion to Windows Defender 7->58 60 Injects a PE file into a foreign processes 7->60 13 ACHETS039847.exe 1 12 7->13         started        18 powershell.exe 23 7->18         started        20 schtasks.exe 1 7->20         started        22 powershell.exe 11->22         started        24 schtasks.exe 11->24         started        26 dhcpmon.exe 11->26         started        signatures5 process6 dnsIp7 46 185.222.58.111, 49761, 49778, 49795 ROOTLAYERNETNL Netherlands 13->46 40 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->40 dropped 42 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 13->42 dropped 44 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->44 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->62 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/263565e9f77b5ee48474855d471315dd56d1bcabe4d037fb380d404b3afcd14e/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 02:31:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
5 of 43 (11.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ey2wl2pxpnpojbduqvouoeyv3vlndpfl4tidp6zybvaewox42fha._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
NanoCore
30e1ba61a63a27b668eee09f960a83d944e878c33b46f85ea86bacdf1427f4dd
NanoCore
8bf0518cd0c607aa51073dfe422f6af43ab8b43523bd0c182cc6172c9ecb9072
NanoCore
8de953938b8fb2d222892012da5758cefe50de064f61416c2bc2c6e6f019352c
NanoCore
acc1c22f2003ccec8114d0cf6f022836c8e00ab0e895a6a59f6a11cdec2db3b4
NanoCore
d401cecef9371db314f39d5c4bf3457340d7be6f0aac6c61b3cd25310a9dfadf
NanoCore
e3a4b7f4c06b234b71769adaa1df2b4e00b7c1953ffcc9216a89b2c8a673de47
NanoCore
fee5158177e7960671d9a1126ce5d7e0bf56501f914ceed43c87cfa392c72768
NanoCore
+ 4'135 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/220214-czqdxadfg4/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Unpacked files
SH256 hash:
d3b406d76ce05c6b493f5cb9a03b5dc8b35274406014707cb7267b11ac318d4a
MD5 hash:
090b20e07590b3ed73c41c664fb109c9
SHA1 hash:
780d41971f189002c48511f233614e8cfd0304b5
Link:
https://www.unpac.me/results/778c66f4-eddb-4e11-b124-d20dee5a479b/
SH256 hash:
78a4ef78209cd20d70d9bd8135976f6d37e7ecc052c2c5fc24411a8d2e8a2835
MD5 hash:
5aa00213c3fdc11b8a13deb2964ed9e3
SHA1 hash:
61013cb576f992f5bdcba43104a4244c20558e23
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/778c66f4-eddb-4e11-b124-d20dee5a479b/
SH256 hash:
5ccbc53ffe52ec04138e9ab2ab1c78bf25898ec3ebcce1f97d42a702f0098cd1
MD5 hash:
f860c963930fe1189e7fe83dcb03e393
SHA1 hash:
fd32547a214f37a34dd86ba810a2b036ca5a8023
Link:
https://www.unpac.me/results/778c66f4-eddb-4e11-b124-d20dee5a479b/
SH256 hash:
3ca74eb4ce4c2c5604dc298949ae47996d93063abfde0682d689205561d17d44
MD5 hash:
4e35b541f3d9162d0ac93d336df67779
SHA1 hash:
bb9e65761186806d4bada659e9d5db0c070501d4
Link:
https://www.unpac.me/results/778c66f4-eddb-4e11-b124-d20dee5a479b/
SH256 hash:
263565e9f77b5ee48474855d471315dd56d1bcabe4d037fb380d404b3afcd14e
MD5 hash:
9ca4c4d5ef68fc0cb4942809dbb8d4ff
SHA1 hash:
16145a9a2d272d7fafe41d1f38704d58d5cb45b6
Link:
https://www.unpac.me/results/778c66f4-eddb-4e11-b124-d20dee5a479b/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/263565e9f77b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/263565e9f77b5ee48474855d471315dd56d1bcabe4d037fb380d404b3afcd14e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241222/

Comments