MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b733276f28e8a547f7e2197e1be209c13718d5371922855264d1a5511ca66a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b733276f28e8a547f7e2197e1be209c13718d5371922855264d1a5511ca66a5
SHA3-384 hash: 0eb465c046b74cf415a4f6c0da8a5d7f6ca305b43836de630f6bdc08732a72f13df25f3d6086c782cbc1f68b7e1a2b2b
SHA1 hash: 6a2604e432c74aa662fd3fa9b7b31f123f624ed8
MD5 hash: 4b271fd529c4540f4306808cc333ab06
humanhash: sad-glucose-carpet-eighteen
File name:A1DB2JVWGG.CNT.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:2'042'368 bytes
First seen:2023-02-21 10:30:26 UTC
Last seen:2023-02-21 12:41:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:Qky9IISMoa5nCnabmOE2tVvJYE3pJBeK549dUQ5ugKTyN5yWTrvyEXtmJQ:IZDGE3pqU49z5F7TyIy6m
Threatray 1'098 similar samples on MalwareBazaar
TLSH T11695BF55EBFAC8E9E49708BC04341B092832AF53690EE3D9963A7E30E5786D3B1C4D75
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon cfcf4a4c4c4cc3cf (4 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
37.0.14.196:1759

Intelligence

File Origin
# of uploads :
2
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
A1DB2JVWGG.CNT.exe
Verdict:
Malicious activity
Analysis date:
2023-02-21 10:33:43 UTC
Tags:
nanocore
Link:
https://app.any.run/tasks/a9e1ec5f-c383-4a14-9577-b1f2c225a86e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/368593/
Detection(s):
SecuriteInfo.com.Variant.Kryptic.18.15730.19797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f49d67b53d126ad26359a5/reports/f0ffd6ac-91e0-4aa1-aacf-21be88de31a0/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2b733276f28e8a547f7e2197e1be209c13718d5371922855264d1a5511ca66a5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/242bfe43-d535-42fd-ae1f-bc3b9e5be8e3
Result
Threat name:
Nanocore, DarkComet
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179664
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected Nanocore Rat
Disables the Windows task manager (taskmgr)
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DarkComet
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 812495 Sample: A1DB2JVWGG.CNT.exe Startdate: 21/02/2023 Architecture: WINDOWS Score: 100 113 lisajennyjohn.ddns.net 2->113 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus detection for URL or domain 2->123 125 Antivirus detection for dropped file 2->125 127 12 other signatures 2->127 10 A1DB2JVWGG.CNT.exe 7 2->10         started        14 HRVPZj.exe 4 2->14         started        16 msdcsc.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 file5 101 C:\Users\user\AppData\Roaming\HRVPZj.exe, PE32 10->101 dropped 103 C:\Users\user\...\HRVPZj.exe:Zone.Identifier, ASCII 10->103 dropped 105 C:\Users\user\AppData\Local\...\tmpA198.tmp, XML 10->105 dropped 107 C:\Users\user\...\A1DB2JVWGG.CNT.exe.log, ASCII 10->107 dropped 151 Drops PE files to the document folder of the user 10->151 153 Uses schtasks.exe or at.exe to add and modify task schedules 10->153 155 Adds a directory exclusion to Windows Defender 10->155 20 A1DB2JVWGG.CNT.exe 1 5 10->20         started        24 powershell.exe 20 10->24         started        26 powershell.exe 21 10->26         started        36 2 other processes 10->36 157 Antivirus detection for dropped file 14->157 159 Multi AV Scanner detection for dropped file 14->159 161 Machine Learning detection for dropped file 14->161 28 schtasks.exe 14->28         started        163 Injects a PE file into a foreign processes 16->163 30 schtasks.exe 16->30         started        38 4 other processes 16->38 32 schtasks.exe 18->32         started        34 msdcsc.exe 18->34         started        signatures6 process7 file8 95 C:\Users\user\Documents\MSDCSC\msdcsc.exe, PE32 20->95 dropped 97 C:\Users\user\AppData\Local\Temp\STUB01.EXE, PE32 20->97 dropped 99 C:\Users\user\...\msdcsc.exe:Zone.Identifier, ASCII 20->99 dropped 129 Creates an undocumented autostart registry key 20->129 131 Writes to foreign memory regions 20->131 133 Allocates memory in foreign processes 20->133 135 Creates a thread in another existing process (thread injection) 20->135 40 msdcsc.exe 20->40         started        43 STUB01.EXE 20->43         started        59 3 other processes 20->59 47 conhost.exe 24->47         started        49 conhost.exe 26->49         started        51 conhost.exe 28->51         started        53 conhost.exe 30->53         started        55 conhost.exe 32->55         started        57 conhost.exe 36->57         started        signatures9 process10 dnsIp11 137 Antivirus detection for dropped file 40->137 139 Multi AV Scanner detection for dropped file 40->139 141 Machine Learning detection for dropped file 40->141 149 2 other signatures 40->149 61 msdcsc.exe 40->61         started        65 powershell.exe 40->65         started        67 powershell.exe 40->67         started        69 schtasks.exe 40->69         started        115 lisajennyjohn.ddns.net 37.0.14.196, 1759, 49715, 49716 WKD-ASIE Netherlands 43->115 117 mjosh6995.ddns.net 127.0.0.1 unknown unknown 43->117 109 C:\Program Files (x86)\...\dhcpmon.exe, PE32 43->109 dropped 111 C:\Users\user\AppData\Roaming\...\run.dat, data 43->111 dropped 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->143 71 schtasks.exe 43->71         started        73 schtasks.exe 43->73         started        145 Uses cmd line tools excessively to alter registry or file data 59->145 147 Deletes itself after installation 59->147 75 conhost.exe 59->75         started        77 conhost.exe 59->77         started        79 2 other processes 59->79 file12 signatures13 process14 dnsIp15 119 lisajennyjohn.ddns.net 61->119 165 Changes security center settings (notifications, updates, antivirus, firewall) 61->165 167 Writes to foreign memory regions 61->167 169 Allocates memory in foreign processes 61->169 171 3 other signatures 61->171 81 STUB01.EXE 61->81         started        83 notepad.exe 61->83         started        85 conhost.exe 65->85         started        87 conhost.exe 67->87         started        89 conhost.exe 69->89         started        91 conhost.exe 71->91         started        93 conhost.exe 73->93         started        signatures16 process17
Detection:
darkcomet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2b733276f28e8a547f7e2197e1be209c13718d5371922855264d1a5511ca66a5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 10:31:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnzte5xsr2ffi736egl6dpratqjxddktogjcqvjgjunfkeokm2sq._file
Verdict:
malicious
Similar samples:
1283438598f854513cc5486567c3b41d64064ee7901b30db625704f956a5d633
NanoCore
1cf6ec5af4e2cf0c7bad29f2735a2db25584b153969866a74bcc323cf59a7875
NanoCore
281bdfe292c51e9d9141698bc95cac545d7f83c908ac38d1e9f69b76357c8d81
NanoCore
294a6483b66178781dd80269ed44df06ae73e3703edf116e0a92889250725c84
NanoCore
2a16f2ee7eee4dc583d3d36d3b119d4b10000dc7cbf7d76650558bf6c9448dcd
NanoCore
3f7658a27f67bee2e61e5232cc9219ad6d0b02725300bcc426ac527fc7099ab6
NanoCore
5e2059fde117e7f9a94d987c4e4088fe97586ca986d52851e83388fae34c36c6
NanoCore
8deb3514b80360ee819cf61e2140c3027a6fb865a18bb3cb5154f90384b0b372
NanoCore
9346fab19e5aff450bbe116e328d6fc71f90d6864813474a45d8f11f94f31b6c
NanoCore
+ 1'088 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet family:nanocore botnet:february 2023 evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230221-mkdrnsee34/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Windows security modification
Disables Task Manager via registry modification
Sets file to hidden
Darkcomet
Modifies WinLogon for persistence
Modifies security service
NanoCore
Windows security bypass
Malware Config
C2 Extraction:
lisajennyjohn.ddns.net:9674
lisajennyjohn.ddns.net:1759
mjosh6995.ddns.net:1759
Unpacked files
SH256 hash:
e67027389fc876abd8f673740b95093688abb58000986fa8efd19916c1222422
MD5 hash:
6657a6901342374d404b46880b79c6b3
SHA1 hash:
e1423fb6bcfbf63376cb7896992502055eebfcdf
Link:
https://www.unpac.me/results/1db83bf6-1d4d-4f94-8c7b-caa663cfe812/
SH256 hash:
339d0e4b396ed3035f9efd0808445a3eaa701a7a14eb2fc5366fdb5739a5bfef
MD5 hash:
a114fe37920f4b3694b2f62678b155a8
SHA1 hash:
58000dabe679be8f307c0391d22488ce34fe68ab
Detections:
win_darkcomet_a0
Create hunting rule
win_nanocore_w0
Create hunting rule
win_darkcomet_auto
Create hunting rule
win_darkcomet_g0
Create hunting rule
Link:
https://www.unpac.me/results/1db83bf6-1d4d-4f94-8c7b-caa663cfe812/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/1db83bf6-1d4d-4f94-8c7b-caa663cfe812/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
f11ca8a4ea5b7a7c2b982020fec273ab6246b75ad4c9e45fbd475eb0a1350c17
MD5 hash:
2a0a9f880a5fc4e16971fc0752b0854c
SHA1 hash:
84952dbf095679f3d5da366c6ef99f13136bb4c5
Link:
https://www.unpac.me/results/1db83bf6-1d4d-4f94-8c7b-caa663cfe812/
SH256 hash:
90b5867b52447df076a8d2f2dcff558872720b2987a7208f048a14abd91efa86
MD5 hash:
b129da3388d615f01fb61caa7feebb80
SHA1 hash:
103bd4e82603bd3b09de839239ebb0f426addf88
Link:
https://www.unpac.me/results/1db83bf6-1d4d-4f94-8c7b-caa663cfe812/
SH256 hash:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed
MD5 hash:
1e22a8cf1859f0d1a75e71d719ea989d
SHA1 hash:
74c8f071a1ecee655576adebe57dea9d1b28ed67
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/1db83bf6-1d4d-4f94-8c7b-caa663cfe812/
SH256 hash:
2b733276f28e8a547f7e2197e1be209c13718d5371922855264d1a5511ca66a5
MD5 hash:
4b271fd529c4540f4306808cc333ab06
SHA1 hash:
6a2604e432c74aa662fd3fa9b7b31f123f624ed8
Link:
https://www.unpac.me/results/1db83bf6-1d4d-4f94-8c7b-caa663cfe812/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2b733276f28e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b733276f28e8a547f7e2197e1be209c13718d5371922855264d1a5511ca66a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/368593/

Comments