MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4116f2f35aafa0b2bfff2e1bd17bd953914e4505d6464288193a6c4638bd21c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4116f2f35aafa0b2bfff2e1bd17bd953914e4505d6464288193a6c4638bd21c6
SHA3-384 hash: ef74aa1697253181eae571a5a2c40863879d206f9e33a8480cdb15168ad34e1bb168e49ae039a81616f999f0a29e5d21
SHA1 hash: 19b941bf71059c69a109f7cff043475565c34630
MD5 hash: bbb2e175a2a7049bf8bdfd7367a8a6f0
humanhash: pluto-golf-sierra-johnny
File name:doc-file-pdf1.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'082'880 bytes
First seen:2022-06-13 09:26:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:gf51I1I1I17vUYsXVIHNKNx8qWTX/wZ2xC412U40X:ghGGGh89VI4p0V12U4E
Threatray 4'868 similar samples on MalwareBazaar
TLSH T14735DEC7D3128CB9F82822B664335C3D1767A47C80ACC56E0AAD717927A3E9E14F3957
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 81c1c1a14931d4c4 (2 x NanoCore, 1 x AgentTesla, 1 x AsyncRAT)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
85.202.169.14:9829

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
85.202.169.14:9829 https://threatfox.abuse.ch/ioc/697510/

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
doc-file-pdf1.exe
Verdict:
Malicious activity
Analysis date:
2022-06-13 09:27:48 UTC
Tags:
rat nanocore trojan asyncrat
Link:
https://app.any.run/tasks/6d9910f1-afd7-4d73-a7e6-d050ce6d7a4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/279304/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.1364.UNOFFICIAL
Create hunting rule

Win.Malware.Filerepmetagen-9855920-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a702ee73b91c38f689f592/reports/b4f33fac-c596-4f71-b730-fec598dd0f16/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6f23181-261c-42ce-99e8-d63a7cef1acb
Result
Threat name:
Nanocore, AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1011883
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 644381 Sample: doc-file-pdf1.exe Startdate: 13/06/2022 Architecture: WINDOWS Score: 100 64 docfilepdf.ddns.net 2->64 70 Snort IDS alert for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 14 other signatures 2->76 10 doc-file-pdf1.exe 7 2->10         started        14 docfilepdf.exe 2->14         started        16 dhcpmon.exe 2->16         started        18 dhcpmon.exe 2->18         started        signatures3 process4 file5 50 C:\Users\user\AppData\...50rsmWWDLPrNJ.exe, PE32 10->50 dropped 52 C:\Users\...52rsmWWDLPrNJ.exe:Zone.Identifier, ASCII 10->52 dropped 54 C:\Users\user\AppData\Local\...\tmpA5DF.tmp, XML 10->54 dropped 56 C:\Users\user\...\doc-file-pdf1.exe.log, ASCII 10->56 dropped 78 Uses schtasks.exe or at.exe to add and modify task schedules 10->78 80 Adds a directory exclusion to Windows Defender 10->80 82 Injects a PE file into a foreign processes 10->82 20 doc-file-pdf1.exe 3 10->20         started        23 powershell.exe 25 10->23         started        25 schtasks.exe 1 10->25         started        58 C:\Users\user\AppData\...\docfilepdf.exe.log, ASCII 14->58 dropped signatures6 process7 file8 46 C:\Users\user\AppData\...\docfilepdf.exe, PE32 20->46 dropped 48 C:\Users\user\AppData\Local\...\doc-file.exe, PE32 20->48 dropped 27 docfilepdf.exe 20->27         started        32 doc-file.exe 2 20->32         started        34 conhost.exe 23->34         started        36 conhost.exe 25->36         started        process9 dnsIp10 66 127.0.0.1 unknown unknown 27->66 60 C:\Program Files (x86)\...\dhcpmon.exe, PE32 27->60 dropped 62 C:\Users\user\AppData\Roaming\...\run.dat, data 27->62 dropped 84 Antivirus detection for dropped file 27->84 86 Machine Learning detection for dropped file 27->86 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->88 38 schtasks.exe 27->38         started        40 schtasks.exe 27->40         started        68 docfilepdf.ddns.net 85.202.169.14, 49745, 49748, 49755 GUDAEV-ASRU Netherlands 32->68 file11 signatures12 process13 process14 42 conhost.exe 38->42         started        44 conhost.exe 40->44         started       
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4116f2f35aafa0b2bfff2e1bd17bd953914e4505d6464288193a6c4638bd21c6/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2022-06-13 09:27:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ielpf422v6qlfp77fyn5c66zkoiu4rif2zdefcazhjwemof5ehda._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
0758171eb92e029d38cef3237e2cdd899827cdeeb3386761933254981b707809
NanoCore
1505187e442f73d262bf221a75bd80319bc002183d4634ec5cfa655ef9f82c6f
NanoCore
40c935ce8104afa8a498a4bde6146fb548e202370212ebbb7851ed443b3af510
NanoCore
48edd19f150f6864d5179240e15c60af024d1e18ed34736abcdd59b1c636412b
NanoCore
b456e525822c88584714321dfb3f1aa4ce6ac1efeea7d83792a7d109de17302e
NanoCore
cacb2f55774ab3d5f1e89e164ea67bfa9b0f612a6e64dd8b31d062bec1d12cb6
NanoCore
d8fb0f57ebd4dc27d230b65b213f60217492438cdbf2aaad4e6d6a14a1f17cc5
NanoCore
+ 4'858 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:nanocore botnet:payment-pdf evasion keylogger persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220613-lerkxabdc3/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
NanoCore
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
85.202.169.14:855
docfilepdf.ddns.net:9829
127.0.0.1:9829
Unpacked files
SH256 hash:
54bb46babd6c31a30f98c5a4c9d207e803be8a919a670a34317d2e8a02681f83
MD5 hash:
3006cc1118748140a780540418894d6c
SHA1 hash:
5282be2fae71a8e905cdbfeaf688d5ee67f382c7
Detections:
win_asyncrat_w0
Create hunting rule
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/0fd40b56-dd08-4089-9b29-31fdbd96585c/
SH256 hash:
c8248d6907d71a38cde2ed668bb3c116c2d6a1cc4532f336d3df45ccd11765fa
MD5 hash:
a3ef752e2d1d6f877e38f84bde4bd711
SHA1 hash:
bbdbad514a571aadc79d2f5fb263024d37c90248
Link:
https://www.unpac.me/results/0fd40b56-dd08-4089-9b29-31fdbd96585c/
SH256 hash:
294dccef13a57dabc755eeb070ee4ce67c1fc3125e29ebe5530ad3114ee60589
MD5 hash:
0f4d2c2e0d6b7bedc0f6dad68c1cd5b2
SHA1 hash:
7964e0e8013622c71f4341c96d546dba5f8147a8
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/0fd40b56-dd08-4089-9b29-31fdbd96585c/
Parent samples :
4116f2f35aafa0b2bfff2e1bd17bd953914e4505d6464288193a6c4638bd21c6
54e1ab14597cb30427c2410c8605c9af2f4fd567af3f4f40b2671962cadd15ab
SH256 hash:
b97d9ccd69b467239d756a7e9fd437b49618193b373f1f84b1e0f379b5803805
MD5 hash:
14c8e14ce961cd1959c112c8d34b7dcc
SHA1 hash:
5b645ff85c6b134a996d159cc2f130dc9fb249db
Link:
https://www.unpac.me/results/0fd40b56-dd08-4089-9b29-31fdbd96585c/
SH256 hash:
41c7ccc6c482b078e1c6ae5a6c229b424afaa22edb7334a4abad5793feecebb4
MD5 hash:
83ff806091e472c62246ce1a3c9087b3
SHA1 hash:
524a3a8b21b9820a7c63146d6e1aa62f133819bd
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/0fd40b56-dd08-4089-9b29-31fdbd96585c/
Parent samples :
4116f2f35aafa0b2bfff2e1bd17bd953914e4505d6464288193a6c4638bd21c6
54e1ab14597cb30427c2410c8605c9af2f4fd567af3f4f40b2671962cadd15ab
SH256 hash:
dec15271d422cf3b82c0a94cf147312bb5a4a4f262da4b698ffe7e6bdaf18053
MD5 hash:
79c5c39e29ebe233cd13a50987e64609
SHA1 hash:
0560314716e6519158009159c017d2b52116608e
Link:
https://www.unpac.me/results/0fd40b56-dd08-4089-9b29-31fdbd96585c/
SH256 hash:
4116f2f35aafa0b2bfff2e1bd17bd953914e4505d6464288193a6c4638bd21c6
MD5 hash:
bbb2e175a2a7049bf8bdfd7367a8a6f0
SHA1 hash:
19b941bf71059c69a109f7cff043475565c34630
Link:
https://www.unpac.me/results/0fd40b56-dd08-4089-9b29-31fdbd96585c/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4116f2f35aaf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4116f2f35aafa0b2bfff2e1bd17bd953914e4505d6464288193a6c4638bd21c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/279304/

Comments