MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45aa818299284f99b87dbacf4b0113ccc39674b9c39fedfd775e2b72d184a232. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45aa818299284f99b87dbacf4b0113ccc39674b9c39fedfd775e2b72d184a232
SHA3-384 hash: ff6fe87c50bc2c63b294a2660630d3c9196ba1aa579d395e0c0da04caeabdfd2e4b4d03e782cc448043ab5ada9f44589
SHA1 hash: d1bf7ba17d8af78ebda03307c70d32528bbec97d
MD5 hash: c49223ac90a9a27a0ac7514a3f0163b8
humanhash: minnesota-charlie-steak-quebec
File name:REQUEST ON ENQUIRY - JIANG MEIYUAN INDUSTRIES.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:787'456 bytes
First seen:2022-11-03 09:21:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:RTLd62ouHH1JJ2iNkAJVbZuc+Kc5UPZxx2yDVfsyLsM4B9qeKKZ9kejwFGfmla:CVu1j1uSbZucCCnVxsM4B9q/4eGb
Threatray 6'901 similar samples on MalwareBazaar
TLSH T1A5F41244B1A57AC8C67DCE7149B2710047FDAC72DB23E32B4C8539AC16BA7498533BA7
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13097/50/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f903c4c9c8c401f8 (1 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
171.22.30.90:3693

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
REQUEST ON ENQUIRY - JIANG MEIYUAN INDUSTRIES.exe
Verdict:
Malicious activity
Analysis date:
2022-11-03 09:25:12 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/6f97365f-4159-418c-9773-4a87d010a481

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/327844/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1893030f-963f-49bc-be9e-3bd93b5dd7dc
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1104257
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 736920 Sample: REQUEST ON ENQUIRY - JIANG ... Startdate: 03/11/2022 Architecture: WINDOWS Score: 100 49 netvillsm.giize.com 2->49 57 Snort IDS alert for network traffic 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Sigma detected: Scheduled temp file as task from temp location 2->61 63 12 other signatures 2->63 8 REQUEST ON ENQUIRY - JIANG MEIYUAN INDUSTRIES.exe 7 2->8         started        12 AFaJpu.exe 5 2->12         started        signatures3 process4 file5 39 C:\Users\user\AppData\Roaming\AFaJpu.exe, PE32 8->39 dropped 41 C:\Users\user\...\AFaJpu.exe:Zone.Identifier, ASCII 8->41 dropped 43 C:\Users\user\AppData\Local\Temp\tmp76F.tmp, XML 8->43 dropped 45 REQUEST ON ENQUIRY... INDUSTRIES.exe.log, ASCII 8->45 dropped 65 Adds a directory exclusion to Windows Defender 8->65 67 Injects a PE file into a foreign processes 8->67 14 REQUEST ON ENQUIRY - JIANG MEIYUAN INDUSTRIES.exe 9 8->14         started        19 powershell.exe 21 8->19         started        21 powershell.exe 21 8->21         started        23 schtasks.exe 1 8->23         started        69 Multi AV Scanner detection for dropped file 12->69 71 Machine Learning detection for dropped file 12->71 25 schtasks.exe 12->25         started        27 AFaJpu.exe 12->27         started        29 AFaJpu.exe 12->29         started        signatures6 process7 dnsIp8 51 netvillsm.giize.com 171.22.30.90, 3693, 49696, 49697 CMCSUS Germany 14->51 53 192.168.2.1 unknown unknown 14->53 47 C:\Users\user\AppData\Roaming\...\run.dat, data 14->47 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->55 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45aa818299284f99b87dbacf4b0113ccc39674b9c39fedfd775e2b72d184a232/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2022-11-03 09:07:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwvidauzfbhztod5xlhuwaitztbzm5fzyop637lxlyvxfumeuiza._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1521a38b6aae5d1956ed09556fd9f6aa20b14d56e10232425aba7289b6d8bae5
NanoCore
25d3945b7a15346abb60c4d5ac56c959c266190fa335c313d598c09d7edc5ae5
NanoCore
41a9ae8ca0a4ff2c58b423a915e55af6de026730f327b727e7f1355456ca26d3
NanoCore
74bf4be5cd674b82ed1eee10d1187d16b8abd1c348d2527d8ff34d88fbc01114
NanoCore
831066d6f032f1208a63ad7d90d220fa305d949c2976666b9b6e40e557181a1b
NanoCore
a22ab5f71dfb368b8eb0b4aa8c04338e9e1d3e431ef6650281ecbe0f727e6073
NanoCore
bc76c9c1e2dde9ae01813b543363c72242aabcbeea23ab3762eb9221ba7c2bed
NanoCore
+ 6'891 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221103-lbxmragff7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
netvillsm.giize.com:3693
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5a37c065-b319-4b96-90cc-780e81ce5517
Unpacked files
SH256 hash:
5880c464d0c27e419b2b6ad0dce0602540eb364f5e763fc1e08b6b2c456b3580
MD5 hash:
479056da5810f27452d5955703e1a7c9
SHA1 hash:
fbdeb2bbccbdc0469a5c45bdb0d9cfaa3db65b6f
Link:
https://www.unpac.me/results/9cf9f883-7fb7-4afd-9159-1e04f373c09f/
SH256 hash:
9f3c57ee4279c4a082731645d00c89394b92a2515e40fc8b288d81066a4ce675
MD5 hash:
99cd504931ea8d96f1f9471cd9e39f1c
SHA1 hash:
81e6aa61504681e53e463f1ef395430f3ba0c2a8
Link:
https://www.unpac.me/results/9cf9f883-7fb7-4afd-9159-1e04f373c09f/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/9cf9f883-7fb7-4afd-9159-1e04f373c09f/
SH256 hash:
8354a7ad0499febdd288542828ad0355dcb7054c0c518266208e571c5122b0c6
MD5 hash:
6bfc7ce9ec7891d9d8494454332099b5
SHA1 hash:
34fc8cebba035e2cc6d27d636f9655949080bf8e
Link:
https://www.unpac.me/results/9cf9f883-7fb7-4afd-9159-1e04f373c09f/
SH256 hash:
b58f985f6999dee8bed24c0e9fd3f89125d29bb0e49b1f49a734ffa78bb075da
MD5 hash:
a59cad451d21aa0baf86fba311ca9920
SHA1 hash:
138e5361a0c1cf5ad5495e62e3066bf9b609876b
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/9cf9f883-7fb7-4afd-9159-1e04f373c09f/
Parent samples :
831066d6f032f1208a63ad7d90d220fa305d949c2976666b9b6e40e557181a1b
45aa818299284f99b87dbacf4b0113ccc39674b9c39fedfd775e2b72d184a232
SH256 hash:
45aa818299284f99b87dbacf4b0113ccc39674b9c39fedfd775e2b72d184a232
MD5 hash:
c49223ac90a9a27a0ac7514a3f0163b8
SHA1 hash:
d1bf7ba17d8af78ebda03307c70d32528bbec97d
Link:
https://www.unpac.me/results/9cf9f883-7fb7-4afd-9159-1e04f373c09f/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/45aa81829928/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45aa818299284f99b87dbacf4b0113ccc39674b9c39fedfd775e2b72d184a232

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/327844/

Comments