MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4525f8366e8c5c026a44cabbafd66c0dada4289009881a8a409080f1040ae99c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4525f8366e8c5c026a44cabbafd66c0dada4289009881a8a409080f1040ae99c
SHA3-384 hash: 24605d4e88d0bb5620b00091e3d706add5dbd2a0a8bc09e2fe5dc5e1ce4b2961572b1a0edbff820bac0c0bee1cf5207c
SHA1 hash: f9d6450e171aad87dd46e2900bdca49915df9cc4
MD5 hash: 2f2c5bf460d7e6a98b28fda25fc97181
humanhash: batman-five-nuts-ten
File name:Payment receipt 27.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:40'448 bytes
First seen:2022-05-27 18:32:00 UTC
Last seen:2022-05-27 19:40:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:pzpAx8Annu0jR7l6HR10nIVIAb6qhMNLzZcfVTRZ5H1SsIcu4LPXptj0KFok3WnE:dpK8enuikR10LlyTjScuytYKee
Threatray 5'199 similar samples on MalwareBazaar
TLSH T1BF03D4077E2B8975EA848B7BC5B792400370E75AB23BCB1D7851735AEE827C7CE21581
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0f33694dcd65231f (3 x AgentTesla, 1 x AveMariaRAT, 1 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
45.137.22.35:54984

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.137.22.35:54984 https://threatfox.abuse.ch/ioc/642510/

Intelligence

File Origin
# of uploads :
2
# of downloads :
470
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment receipt 27.exe
Verdict:
Suspicious activity
Analysis date:
2022-05-27 18:46:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2f052c61-4bb6-48dd-bbc1-c5897ba8b282

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275086/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.5171.272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/62911946370bb1455cca9beb/reports/d110695b-e82e-4edf-ba87-f67928949533/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9101634a-82db-4def-b624-5262dab3944c
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002884
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635377 Sample: Payment receipt 27.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 13 other signatures 2->55 7 Payment receipt 27.exe 16 7 2->7         started        12 Rxyrgth.exe 14 3 2->12         started        process3 dnsIp4 41 2.58.149.2, 49773, 49799, 80 GBTCLOUDUS Netherlands 7->41 33 C:\Users\user\AppData\Roaming\...\Rxyrgth.exe, PE32 7->33 dropped 35 C:\Users\user\...\Rxyrgth.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\...\Payment receipt 27.exe.log, ASCII 7->37 dropped 57 Writes to foreign memory regions 7->57 59 Injects a PE file into a foreign processes 7->59 14 InstallUtil.exe 9 7->14         started        19 cmd.exe 1 7->19         started        61 Machine Learning detection for dropped file 12->61 21 cmd.exe 1 12->21         started        23 InstallUtil.exe 12->23         started        file5 signatures6 process7 dnsIp8 43 lovemebygift.ddns.net 45.137.22.35, 49796, 49798, 49801 ROOTLAYERNETNL Netherlands 14->43 45 192.168.2.1 unknown unknown 14->45 39 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 14->39 dropped 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 25 conhost.exe 19->25         started        27 timeout.exe 1 19->27         started        29 conhost.exe 21->29         started        31 timeout.exe 1 21->31         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4525f8366e8c5c026a44cabbafd66c0dada4289009881a8a409080f1040ae99c/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-27 18:32:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ius7qntorroae2sezk527vtmbww2ikeqbgebvcsascapcbak5goa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
NanoCore
263565e9f77b5ee48474855d471315dd56d1bcabe4d037fb380d404b3afcd14e
NanoCore
45272694709263868523b77d0561757378cc2e8aa7d64c7ed21deaacbdf88b5b
NanoCore
7709c1a46eff201524b42caaecba9ce963f7580e77d7b9c32059aaf3acfb248a
NanoCore
862965d573744607a29489905cfc8abdd8f187874d476ef4263eee7e5175630a
NanoCore
8bf0518cd0c607aa51073dfe422f6af43ab8b43523bd0c182cc6172c9ecb9072
NanoCore
ddb292ac2c57e10703a5358532be2d46e4d5ea94361fd30be3c1e2bfb919621f
NanoCore
+ 5'189 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220527-w6l5lsgca4/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
lovemebygift.ddns.net:54984
127.0.0.1:54984
Unpacked files
SH256 hash:
4525f8366e8c5c026a44cabbafd66c0dada4289009881a8a409080f1040ae99c
MD5 hash:
2f2c5bf460d7e6a98b28fda25fc97181
SHA1 hash:
f9d6450e171aad87dd46e2900bdca49915df9cc4
Link:
https://www.unpac.me/results/2102c88c-9396-47c1-a056-f24dea16cd5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4525f8366e8c5c026a44cabbafd66c0dada4289009881a8a409080f1040ae99c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275086/

Comments