MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44d428c1d7abb9f2477a913e431e19d390f9e5abe192d45ad50e1d85f7d43e4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44d428c1d7abb9f2477a913e431e19d390f9e5abe192d45ad50e1d85f7d43e4a
SHA3-384 hash: 16748d6b67d7edc27fff0a7351a7c1a3d29bc6b79eb1afcf963409cf1bca1760d9b6d5628a28d074b8f8051a96d9c971
SHA1 hash: 8878b73169338867b728e115d92a6516706bea57
MD5 hash: 96c2630311e9b668dec302760afc9561
humanhash: foxtrot-angel-ten-berlin
File name:PO#5100016489.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:16'384 bytes
First seen:2022-03-14 19:01:24 UTC
Last seen:2022-03-15 08:00:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:A+ARXfNWLD0hGlueL2c6txPqutllA5ziir3TkKH5KAWQwoocRi:D+cX0clueL2ZrSua/LwoocR
Threatray 74 similar samples on MalwareBazaar
TLSH T1CE721956AB888376E9644F3458635B400B75BF12BC26F62E2F99315F0F732E049B1A32
File icon (PE):PE icon
dhash icon e0c4a2a2a4bcbcf8 (15 x Loki, 12 x Formbook, 5 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
194.31.98.223:1187

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.31.98.223:1187 https://threatfox.abuse.ch/ioc/395225/

Intelligence

File Origin
# of uploads :
3
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250389/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Creating a window
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/622f9135b94fb38cb47d23a6/reports/2605e984-36c8-4452-b461-c7727ef1f4bd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b842dd1-0e23-41b1-8b3a-2b628bef1367
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956453
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MSILDownloaderGeneric
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 588939 Sample: PO#5100016489.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 15 other signatures 2->69 7 PO#5100016489.exe 16 7 2->7         started        12 Pvocu.exe 14 4 2->12         started        14 Pvocu.exe 3 2->14         started        16 dhcpmon.exe 2->16         started        process3 dnsIp4 59 cdn.discordapp.com 162.159.130.233, 443, 49755, 49778 CLOUDFLARENETUS United States 7->59 53 C:\Users\user\AppData\Roaming\...\Pvocu.exe, PE32 7->53 dropped 55 C:\Users\user\...\PO#5100016489.exe.log, ASCII 7->55 dropped 73 Writes to foreign memory regions 7->73 75 Allocates memory in foreign processes 7->75 77 Injects a PE file into a foreign processes 7->77 18 MSBuild.exe 1 10 7->18         started        23 cmd.exe 1 7->23         started        79 Multi AV Scanner detection for dropped file 12->79 25 cmd.exe 12->25         started        27 MSBuild.exe 12->27         started        29 MSBuild.exe 12->29         started        61 162.159.133.233, 443, 49779 CLOUDFLARENETUS United States 14->61 31 cmd.exe 14->31         started        33 MSBuild.exe 14->33         started        35 conhost.exe 16->35         started        file5 signatures6 process7 dnsIp8 57 deranano1.ddns.net 194.31.98.223, 1187, 49777 BURSABILTR Netherlands 18->57 49 C:\Users\user\AppData\Roaming\...\run.dat, International 18->49 dropped 51 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->51 dropped 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->71 37 conhost.exe 23->37         started        39 timeout.exe 1 23->39         started        41 conhost.exe 25->41         started        43 timeout.exe 25->43         started        45 conhost.exe 31->45         started        47 timeout.exe 31->47         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44d428c1d7abb9f2477a913e431e19d390f9e5abe192d45ad50e1d85f7d43e4a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 19:02:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=itkcrqoxvo47er32se7eghqz2oiptznl4gjniwwvbyoyl56uhzfa._file
Verdict:
malicious
Similar samples:
488aeadb7b5bfdcf2b7bf7f25518f6ccaf136e90bf81409838d7f8051938d076
NanoCore
53777546c28cb8912525bf2f3f0e7a69e29f61755b82cbba7d1a0c0d9c562536
NanoCore
732ba56b4b4044d7356b745db037e41fafe74dd8610e29c5b8c811a18936c09a
NanoCore
7b0f445718f91d7d32669089ecf436c8cfc3639f756ef1d91f8ba5aa90c5145a
NanoCore
8f7bab9df8b75b06db3d3386c8fea2e31c3c829793e6176f54daeaff7e9654fc
NanoCore
973294652225d5fa7ed66a39c2c0b1ef2b518169f1300ca0109c61cde55d35f1
NanoCore
992a54c553bf5b53990d181c24b9ba44b93bc9f02f5a3d42dbf4d1e1f57ead5f
NanoCore
dab47d33a292ab6b5b8aa525857160906629f9fd1b8dc1e3a37f62247d7ce8e0
NanoCore
fca3a8527a1f895a5aa06d5cec9ba6be6644ae8ba144a0f3be590f4c4e761cfe
NanoCore
+ 64 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220314-xqc3fabca3/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
deranano1.ddns.net:1187
194.31.98.223:1187
Unpacked files
SH256 hash:
44d428c1d7abb9f2477a913e431e19d390f9e5abe192d45ad50e1d85f7d43e4a
MD5 hash:
96c2630311e9b668dec302760afc9561
SHA1 hash:
8878b73169338867b728e115d92a6516706bea57
Link:
https://www.unpac.me/results/6e9eda36-51b2-479c-b103-5ff1d1beafc7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/44d428c1d7abb9f2477a913e431e19d390f9e5abe192d45ad50e1d85f7d43e4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250389/

Comments