MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84
SHA3-384 hash: db7ec00916fb45812a102e3fb436709ccb44f0caf0feb1cada1295f5ccdc0e00322b10f5fd52df352468c65c2bb91790
SHA1 hash: 07753b9f13d935a69cd122588ae34f95efde109f
MD5 hash: 0e421d8294a07387eae2ce4b806c1a08
humanhash: black-sweet-equal-speaker
File name:SecuriteInfo.com.W32.AIDetectNet.01.13086.27589
Download: download sample
Signature NanoCore
Create hunting rule
File size:981'504 bytes
First seen:2022-08-22 06:31:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:FfEWcBeeEH1zc8PHfeADdojG4p7Nb4r9ESz6wb7n0nQlX4XS9S2oS:ZEvBSHOAHfTJojfzb4r9EDQlX4Xz2
Threatray 4'520 similar samples on MalwareBazaar
TLSH T17025BE5CABA6C555EC2D0178E0A656F01222EC15F52AEE8FB5CBFEE93E363BC4445103
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4d4d4dc4c0507495 (7 x Loki, 6 x AgentTesla, 5 x Formbook)
Reporter SecuriteInfoCom
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.13086.27589
Verdict:
Malicious activity
Analysis date:
2022-08-22 06:33:00 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/89362c6c-989f-4b3d-a24b-78873a0c5837

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300139/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.13086.27589.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6303232805ef0c24e41da7bb/reports/b500f304-80b2-4322-82a1-a8c2a5510cbb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9629c75-6a59-45e8-8a34-018e97982bea
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055325
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 687844 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 22/08/2022 Architecture: WINDOWS Score: 100 76 brewsterchristophe.ddns.net 2->76 80 Snort IDS alert for network traffic 2->80 82 Multi AV Scanner detection for domain / URL 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 14 other signatures 2->86 9 SecuriteInfo.com.W32.AIDetectNet.01.13086.exe 7 2->9         started        13 SecuriteInfo.com.W32.AIDetectNet.01.13086.exe 4 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 68 C:\Users\user\AppData\Roaming\HgySrc.exe, PE32 9->68 dropped 70 C:\Users\user\...\HgySrc.exe:Zone.Identifier, ASCII 9->70 dropped 72 C:\Users\user\AppData\Local\...\tmp889A.tmp, XML 9->72 dropped 74 SecuriteInfo.com.W...et.01.13086.exe.log, ASCII 9->74 dropped 90 Uses schtasks.exe or at.exe to add and modify task schedules 9->90 92 Adds a directory exclusion to Windows Defender 9->92 94 Injects a PE file into a foreign processes 9->94 19 SecuriteInfo.com.W32.AIDetectNet.01.13086.exe 1 16 9->19         started        24 powershell.exe 25 9->24         started        26 schtasks.exe 1 9->26         started        28 powershell.exe 13->28         started        30 schtasks.exe 13->30         started        32 SecuriteInfo.com.W32.AIDetectNet.01.13086.exe 13->32         started        34 powershell.exe 15->34         started        36 2 other processes 15->36 38 3 other processes 17->38 signatures6 process7 dnsIp8 78 brewsterchristophe.ddns.net 109.206.241.195, 49708, 49711, 49717 AWMLTNL Germany 19->78 62 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->62 dropped 64 C:\Users\user\AppData\Roaming\...\run.dat, data 19->64 dropped 66 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->66 dropped 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->88 40 schtasks.exe 1 19->40         started        56 2 other processes 19->56 42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 34->50         started        52 conhost.exe 36->52         started        54 conhost.exe 38->54         started        file9 signatures10 process11 process12 58 conhost.exe 40->58         started        60 conhost.exe 56->60         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 04:19:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gajsoejropq2bhjgmy4afq7gcvy6jhvuaiqtrzfyuwsmlhc256ca._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
njrat
Create hunting rule
Similar samples:
06af98f5f328aabcffc8f302f664604b77c1929aa555650edf2eddb9922c50be
NanoCore
1ecbe12894a4e76f7b609f70718c1175906a8f975d12311bfe0bf3ef26864205
NanoCore
216a816819a5ce7f41a09bb6bfa46454dc2818a11eb28ea71d334bc97b1cfc24
NanoCore
41a929b8f77738480f9181bfabdd5c49e7ee13fcf89a470374f8070952024caf
NanoCore
49d62dd6da73771894fbb042c49c3f487f0f8388aab64db42c8ab132df10c234
NanoCore
5d3b73f33169ea63cb2c9f119ac1b16c205c3518f56d47baf3e55b0761a18dc6
NanoCore
7801c3f3c029d7f152d029db7d5df5f72d4a3dd9c649afa08ec1fea2e9ee4e72
NanoCore
e1f6cb63f580a6303a39bc4ed897c156df8aa7a149cd5c982ffef28dda3e3095
NanoCore
f3009e5a76bdb5e0401e6e0ffc904cc39085d8d4d7ccf419e9f9608fb913755d
NanoCore
f30fd3eac2f68db757aa698a3438c007c52e7959a92d16015289621e5c538d4f
NanoCore
+ 4'510 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220822-hal8vaeha9/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
brewsterchristophe.ddns.net:5899
194,147,5,75:5899
Unpacked files
SH256 hash:
ceda93fdfce3ad8e4f800d4f2d940d793b68b4b0b254b652bf42e13dbd189ba7
MD5 hash:
786afe844ec1723b635cace747b60efd
SHA1 hash:
fa647a584a7fcad392147a182e3a2435b3ad5bb9
Link:
https://www.unpac.me/results/319dbef4-323b-4875-8eab-8a715c5c8554/
SH256 hash:
c27d9c53b1816190405af34b5fd87785e6860b7d3e8714dcaee70cd9b1ef1e7c
MD5 hash:
840c2b57b4a133004b298989c242f16e
SHA1 hash:
a364ce9a703f88c4161db1ac87d362a5479ddcf6
Link:
https://www.unpac.me/results/319dbef4-323b-4875-8eab-8a715c5c8554/
SH256 hash:
1705f8964f5c236633462fd39a5014dab266d579d4c6eefb65ac1ce95e22c552
MD5 hash:
23e4d54d6d369f1cef788806c92f512a
SHA1 hash:
274d8ceb73e8ed7661451c8aba24cecd830cd302
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/319dbef4-323b-4875-8eab-8a715c5c8554/
Parent samples :
a321efcbd0394eade04263fd6498396c3e831ed65aa349c00dbf2b131994e19a
57fd565bb44788ce8f547cf1f439fb37bbe78944175bbc43ffa4b64156665556
c59c3b7e61af36979afe094310c06e24677975d07026ec9af07bfde74da794b6
8c8804a51f249b24b1ae1ad4487ed7bddd999f2a38158ef789af1c215559470e
d6538ca0dc816bcfb3f60df32e6550b91f3bd055af29f02591bcc3523ef921f6
78a74ab5a966c5040df4bb1b1a08a3bfa7d947aaee7e926b52a20186ed7f7158
64fb8789e8e0fb9c082c2999538a5dec7de3d0f722db0e95024134cce9a6d3d0
449055658e47e349dc4bb4e3c0adb81350033e687379f97237c6c80d6f1cb228
6b9c180d50ea0534d74fa091c19e53e40d98362cf4cc89519a65f328a701c6d4
0c8a003199b0dad7f78d98264132563b69b9dc7db94070f8f4e3a8d772ba31e8
b80b496fbcd8fdc4e6bc183162a25e530bf8b2ed8b8adf5ea1285159527942e2
1521a38b6aae5d1956ed09556fd9f6aa20b14d56e10232425aba7289b6d8bae5
c8f0e0c3a2fdc30c0bdb9981d9351b645991582db1a3f13858b180d9fe336694
1f3a7e183273798800d2655de5632cf9d900ba43cb7141ee871138baa58368a9
fadc03fc007070883778ae79c131e4c7b32e4fd9bcfce160471c2562c1a1fffb
b2b9d072b9292b91cb1b06073976e14ad1b2ae058b9c0d8b501105aca2881599
8a3d4a0f0802ea706906f866136b5e9544209d2e11e5c8b807a0a1a4dc378adb
13b4310ab48353c03081863aed798e98bd052f34a185deec31cc53fb8581400b
6039522fefe49f8bd1fdce03aaaace7c17b953ee76866329664d3a170bf13e2c
46d47ddb45405f4df17bb8257f53cc4136224e7869f870c1e6fcc34a81a28c4a
301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84
092800cb5a3d6b797e42f69f02c7247a85c87f5c9cf42811401d37dd8d1f7333
f7855a902d3593167f12ec67e73d286537596ce14aba2c890cfcfac016f4d564
b49ae429c9b3e4e9e59823d44795b16fc7184e5d18d9c7a1b7f70e11ee6c4400
6c29578e601488f2515975c4d31bd6a5042da0578d9eef2db6801bffba10cf23
3dddb479a1240c5cfdc2636cdd8bc0ecd3d2e9da37a6b4d73e206a768cc24181
6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27
5f203844e8cb82ad24fcef815c4fcb03fa14789663e8fa83b459e6f1f1852f27
f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425
a509158e1105757bec0ff3f7dd621360d0acb1f17271841c19dab776004cd17e
f2d01738489cb69458555f6fe64ba65e0ed7fe444f2eb04ad71c968ded40d48c
9d3daf108dbb469968ba5f3bacd9a629c274f00d74eba9569d59609242700349
bafacce7e32e02ec671933a99bdb31c65addf24813422f50f0a5879637210255
2c49d57864b4be1f8b2907b78e963abc931333d98ad1653be2a9826f412500fb
5f33488d404030c908ce3cc6a99867d2ccd697e2d67a5e02d23fe73b45f7e2a0
982d20cce7e6458f1b964b36efef0c7245bd155962c04b08e02323c9efc60f3b
2777c2ab1358ff442a0744634600581a71c0ea57b983437aaf1b2b184e249c3e
70a17ce04f4103804cdcb27e36235a89ba45561e5a477da5dc1a5e6f604d0ea7
a89892d742a7c1c0e63d3606d9e4764a8f6318dbbc58c2a2f14963fb47c380a8
09bb497c378ed884983055338dce20e8db38ed9b966da929b0f1d5d646a52808
SH256 hash:
3e6f8e01dbc3cbc5906d70b7b55939fdef9f890ab7932e754841d4c409272636
MD5 hash:
9694f13855a5366ef88460d1391fc6a7
SHA1 hash:
2535824e6d12c5ec3e3f8a9616b68965f059bcfc
Link:
https://www.unpac.me/results/319dbef4-323b-4875-8eab-8a715c5c8554/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/319dbef4-323b-4875-8eab-8a715c5c8554/
SH256 hash:
301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84
MD5 hash:
0e421d8294a07387eae2ce4b806c1a08
SHA1 hash:
07753b9f13d935a69cd122588ae34f95efde109f
Link:
https://www.unpac.me/results/319dbef4-323b-4875-8eab-8a715c5c8554/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/301327113173/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/301327113173e1a09d26663802c3e61571e49eb4022138e4b8a5a4c59c5aef84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/300139/

Comments