MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a91172e3abf9fa8c77eaab7bb0115ea0425e45b7f7e684f9114ea5051bcb341. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a91172e3abf9fa8c77eaab7bb0115ea0425e45b7f7e684f9114ea5051bcb341
SHA3-384 hash: 781f8603d636b540937106c9733420b354b20251d3bf3e615aeb5a5ae25e26f74586a906df16a7c076d55b8d0c67f9c5
SHA1 hash: 0e3f00ac24ddbb88055491e81b5d7ba0ff0892f1
MD5 hash: 42fbf4768f936b594e154b259b5064c1
humanhash: cardinal-triple-red-cardinal
File name:3A91172E3ABF9FA8C77EAAB7BB0115EA0425E45B7F7E6.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:16'777'216 bytes
First seen:2023-07-20 14:05:29 UTC
Last seen:2023-07-20 14:31:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:CjRfbsw9j74aiGZcpFpD2+iNoKZsy8WU7g/ke2FYD5Fj1:5wl/sLDrimKh8WUkP2Fg
Threatray 1'797 similar samples on MalwareBazaar
TLSH T179F6D00A3B889ED3C2455B7944F7EB6A073CA4B6F807E39BAC4C15A52875BC17523F06
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2f8ccb4b0b2d8e0 (2 x NanoCore, 1 x AsyncRAT)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
12.202.180.134:8550

Intelligence

File Origin
# of uploads :
2
# of downloads :
372
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
3A91172E3ABF9FA8C77EAAB7BB0115EA0425E45B7F7E6.exe
Verdict:
Malicious activity
Analysis date:
2023-07-20 14:06:38 UTC
Tags:
nanocore rat
Link:
https://app.any.run/tasks/12b455b1-a0da-4cfc-bf99-b98c966070f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Barys.382627.20341.15010.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys cmd evasive lolbin obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/64b93f4bfd9e198dc116778f/reports/c32cf164-fe19-47c0-a294-45d35bd937b3/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/3a91172e3abf9fa8c77eaab7bb0115ea0425e45b7f7e684f9114ea5051bcb341
Result
Verdict:
MALICIOUS
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34c6f202-7468-4aef-8619-758f6d8a63e8
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276855
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1276855 Sample: 3A91172E3ABF9FA8C77EAAB7BB0... Startdate: 20/07/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 10 other signatures 2->72 7 3A91172E3ABF9FA8C77EAAB7BB0115EA0425E45B7F7E6.exe 3 6 2->7         started        11 vjustca.exe 3 2->11         started        13 vjustca.exe 2 2->13         started        15 vjustca.exe 2->15         started        process3 file4 62 3A91172E3ABF9FA8C7...25E45B7F7E6.exe.log, CSV 7->62 dropped 78 Writes to foreign memory regions 7->78 80 Allocates memory in foreign processes 7->80 82 Injects a PE file into a foreign processes 7->82 17 RegAsm.exe 8 7->17         started        22 cmd.exe 3 7->22         started        24 cmd.exe 2 7->24         started        30 2 other processes 7->30 84 Antivirus detection for dropped file 11->84 86 Multi AV Scanner detection for dropped file 11->86 88 Machine Learning detection for dropped file 11->88 26 cmd.exe 11->26         started        32 3 other processes 11->32 28 cmd.exe 13->28         started        34 3 other processes 13->34 36 4 other processes 15->36 signatures5 process6 dnsIp7 64 justkowir.duckdns.org 12.202.180.134, 49697, 49698, 49699 FISERV-INCUS United States 17->64 56 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 17->56 dropped 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->74 58 C:\Users\user\AppData\Local\...\vjustca.exe, PE32 22->58 dropped 60 C:\Users\user\...\vjustca.exe:Zone.Identifier, ASCII 22->60 dropped 38 conhost.exe 22->38         started        76 Uses schtasks.exe or at.exe to add and modify task schedules 24->76 40 conhost.exe 24->40         started        46 2 other processes 26->46 48 2 other processes 28->48 42 conhost.exe 30->42         started        44 schtasks.exe 1 30->44         started        50 2 other processes 32->50 52 2 other processes 34->52 54 4 other processes 36->54 file8 signatures9 process10
Gathering data
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-19 23:26:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkirolr2x6p2rr36vk33waiv5icclzc3p57gqt4rctvfaun4wnaq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0fd7a9db6576b36e8b213ea47d5f27b3c976df30ef99c481a09bfda3ff4236c0
NanoCore
239ec3bfd566b2e7c09a16c28997aac2ddaad1c717baa23b2f22e5e212ac9c00
NanoCore
3958c096f9bae8e96033422b4a3a7eaae19b1fbbeb0dec5c131954dd0042d9e9
NanoCore
45272694709263868523b77d0561757378cc2e8aa7d64c7ed21deaacbdf88b5b
NanoCore
6f5e85426d9ed199da9806bfae8480e3d44d0243c9153ae5c0fa9764c3fef90a
NanoCore
9c997bb5941de96a571243b7621bf577514cdc9818eb79b1116601fc31f3a17b
NanoCore
c2fed3fc8ca8e6b37a62f9cc8553d6d84da928bb905b28ae4fdd03e20aea47e6
NanoCore
ea63894996a5718998b72c52a99f0f0ced812a161fbd45236b0d20e588954461
NanoCore
+ 1'787 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230720-redxpshe3s/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
justkowir.duckdns.org:8550
Unpacked files
SH256 hash:
0f1d6aab547ceca6e71ac2e5a54afdaea597318fe7b6ca337f5b92fdff596168
MD5 hash:
fc6b48e4a26a58d4ac831717ba66c7cc
SHA1 hash:
d85d002146457a6c2d5c4d574c6f85c7783995b1
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/a65bbcd5-bbc0-4033-a47b-a1e9fb54f832/
Parent samples :
a898127d2c98fda1751d317cdf3a1d85f79de8fe762edb2415ec04e7c1c53a6f
3a91172e3abf9fa8c77eaab7bb0115ea0425e45b7f7e684f9114ea5051bcb341
0f1d6aab547ceca6e71ac2e5a54afdaea597318fe7b6ca337f5b92fdff596168
SH256 hash:
3a91172e3abf9fa8c77eaab7bb0115ea0425e45b7f7e684f9114ea5051bcb341
MD5 hash:
42fbf4768f936b594e154b259b5064c1
SHA1 hash:
0e3f00ac24ddbb88055491e81b5d7ba0ff0892f1
Link:
https://www.unpac.me/results/a65bbcd5-bbc0-4033-a47b-a1e9fb54f832/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a91172e3abf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a91172e3abf9fa8c77eaab7bb0115ea0425e45b7f7e684f9114ea5051bcb341

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments