MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3be7eca97e7ba084e0e4d7142b3c6bfdb7a9d32603e58cadb610a5437c177443. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3be7eca97e7ba084e0e4d7142b3c6bfdb7a9d32603e58cadb610a5437c177443
SHA3-384 hash: fe37e5736c31334a53de29493ef931ee321789b7ec434f481de9e95f5b63ae1fc8277a2922d67c37315dc6e836f64cac
SHA1 hash: 783ec5f86b8fad2a48e33b323bf6f6cd6d6d120e
MD5 hash: 842264fc32c2817bb2f327f332e23c42
humanhash: red-fish-connecticut-burger
File name:HVX_098765434567-5456799876.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:611'328 bytes
First seen:2021-11-16 13:57:49 UTC
Last seen:2021-11-16 15:32:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:hgH/I2uA2mOLINZqYMe9E4yOjxN5W14Pz0s4pVqOcXXq:hgH/IXAXO0jH9lF3WGPz0s46OcHq
Threatray 3'839 similar samples on MalwareBazaar
TLSH T125D4D232239D5105C8167EF3C665D2B24B61ED116B20C13E3647FDBA4ABA7538E0C6DE
File icon (PE):PE icon
dhash icon 0ee1d99c9cd1e10e (2 x NanoCore, 1 x AgentTesla)
Reporter JAMESWT_WT
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
3
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/206481/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1102.1577.9886.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6193b8f24912a8c920a046be/reports/dd2c7ea4-e963-401c-9df3-04e7002c38ea/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f70fe44d-0ab6-4c32-b4ce-01ab6af9df2b
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890412
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: NanoCore
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 522890 Sample: HVX_098765434567-5456799876.exe Startdate: 16/11/2021 Architecture: WINDOWS Score: 100 58 1211.hopto.org 2->58 64 Multi AV Scanner detection for domain / URL 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 12 other signatures 2->70 9 HVX_098765434567-5456799876.exe 7 2->9         started        13 RegSvcs.exe 1 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\JLmGoeDPdxmcEf.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\Local\...\tmp3884.tmp, XML 9->54 dropped 56 C:\...\HVX_098765434567-5456799876.exe.log, ASCII 9->56 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 9->74 76 Writes to foreign memory regions 9->76 78 Allocates memory in foreign processes 9->78 80 2 other signatures 9->80 19 RegSvcs.exe 1 11 9->19         started        24 powershell.exe 20 9->24         started        26 schtasks.exe 1 9->26         started        28 RegSvcs.exe 9->28         started        30 conhost.exe 13->30         started        32 conhost.exe 15->32         started        34 conhost.exe 17->34         started        signatures6 process7 dnsIp8 60 1211.hopto.org 185.140.53.131, 1211, 49754, 49755 DAVID_CRAIGGG Sweden 19->60 62 192.168.2.1 unknown unknown 19->62 48 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->48 dropped 50 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->50 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->72 36 schtasks.exe 1 19->36         started        38 schtasks.exe 1 19->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        file9 signatures10 process11 process12 44 conhost.exe 36->44         started        46 conhost.exe 38->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3be7eca97e7ba084e0e4d7142b3c6bfdb7a9d32603e58cadb610a5437c177443/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 13:58:10 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hpt6zkl6poqijyhe24kcwpdl7w32tuzgapsyzlnwccsug7axorbq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
07f511ce3b6a8fb409c1a05ea3e01a6d92422674224109c8d0889a017122098c
NanoCore
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
NanoCore
3be7eca97e7ba084e0e4d7142b3c6bfdb7a9d32603e58cadb610a5437c177443
NanoCore
3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86
NanoCore
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
NanoCore
5a8b4dc95322eed89a2c77350395f8c1f79394369bebec84703ae285092a37f5
NanoCore
7ceb354c4f419b3daed055ae62d5b1aaf58a7b715f8e9de08e5379e7e70ebeb6
NanoCore
98cfc2f76ee8cefd9aa0b9be4c317800223f93ffb6e63577e8a9466693585515
NanoCore
9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860
NanoCore
d7cc44c8311a1e7001ca0e85434b068c4421ac3d9f79d080b11548f3eb584c90
NanoCore
+ 3'829 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211116-q9te7seah3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
.NET Reactor proctector
NanoCore
Malware Config
C2 Extraction:
1211.hopto.org:1211
185.140.53.131:1211
Unpacked files
SH256 hash:
86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f
MD5 hash:
bf5c170790a9378101dbc312303925e3
SHA1 hash:
bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8
Link:
https://www.unpac.me/results/492aaca2-c3b0-4780-a96b-b6c1f7de161e/
SH256 hash:
23485563770c2e29f5df6ca4cdfd9945eebe8fea34ba0553b8f693299f9e8089
MD5 hash:
b12b6f5d0aaf8b7a8f7f2a7692fdba58
SHA1 hash:
9a1f85dbfa17a51c34692aa8e0b8b13b37afd268
Link:
https://www.unpac.me/results/492aaca2-c3b0-4780-a96b-b6c1f7de161e/
SH256 hash:
aa3682157d391aea65da31b0494789a8eea1c0046b21782689a07f7460e4f932
MD5 hash:
c52272667b12b0586962ee78daee443f
SHA1 hash:
8825151502886d6d870b6b44cef0aeb1408c0c5d
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/492aaca2-c3b0-4780-a96b-b6c1f7de161e/
Parent samples :
7abbbdd16931347d25be59e2d7609c9b58c8d7e0a3a8c587c68abacf1f80e580
5a212200f9863805091c9b03bedc0f4145eca4907b8924224e0bf49182752d2f
7fb55c7160ff90700ea1b7258ff4a71037659ee4152a7877efa111ea609190c3
d7cc44c8311a1e7001ca0e85434b068c4421ac3d9f79d080b11548f3eb584c90
3be7eca97e7ba084e0e4d7142b3c6bfdb7a9d32603e58cadb610a5437c177443
02bf16ff2f32d689f47d750e106e87a61b7a0ad26a2823a13b51ee5295a6ae75
SH256 hash:
3be7eca97e7ba084e0e4d7142b3c6bfdb7a9d32603e58cadb610a5437c177443
MD5 hash:
842264fc32c2817bb2f327f332e23c42
SHA1 hash:
783ec5f86b8fad2a48e33b323bf6f6cd6d6d120e
Link:
https://www.unpac.me/results/492aaca2-c3b0-4780-a96b-b6c1f7de161e/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3be7eca97e7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3be7eca97e7ba084e0e4d7142b3c6bfdb7a9d32603e58cadb610a5437c177443

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206481/

Comments