MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470
SHA3-384 hash: b6370ecbbbbe4bb95d2701b57daa22fa4c298f83416d2fe1852f6f0ab501c6d84b7f1952a5e2acc6e7ad2226d1a5727e
SHA1 hash: d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0
MD5 hash: 543dc2f0c0753a513107e1a927ae99d5
humanhash: quebec-december-winter-kitten
File name:PO091K43Z9.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:2'042'368 bytes
First seen:2023-02-27 06:55:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:NezI7YEYMFigIlrrVdp7CEmUxvKAfOi/6hH13:ECjOrTAoHmi/E
Threatray 5 similar samples on MalwareBazaar
TLSH T14E959D0AC9B6C8AAF4AE487C0134174F2932AF52651DE3D59D397938DC39BE2B1C8D71
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon cfcf4a4c4c4cc3cf (4 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
91.193.75.133:22233

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
PO091K43Z9.exe
Verdict:
Malicious activity
Analysis date:
2023-02-27 06:57:49 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/5a7b97eb-c24b-4f81-b448-c200a9434866

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkComet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369932/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
Creating a process with a hidden window
Launching cmd.exe command interpreter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63fc54055d47c2515e807b3f/reports/78d7240d-76b1-4992-aab1-dc5968b0c58d/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cbb096f3-f5ec-41fe-8abd-db89dd4a7557
Result
Threat name:
Nanocore, DarkComet
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182907
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected Nanocore Rat
Disables the Windows task manager (taskmgr)
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DarkComet
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 815738 Sample: PO091K43Z9.exe Startdate: 27/02/2023 Architecture: WINDOWS Score: 100 107 mjosh6995.ddns.net 2->107 115 Snort IDS alert for network traffic 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus detection for URL or domain 2->119 121 11 other signatures 2->121 10 PO091K43Z9.exe 7 2->10         started        14 msdcsc.exe 2->14         started        16 uawdcNde.exe 3 2->16         started        18 4 other processes 2->18 signatures3 process4 file5 99 C:\Users\user\AppData\Roaming\uawdcNde.exe, PE32 10->99 dropped 101 C:\Users\...\uawdcNde.exe:Zone.Identifier, ASCII 10->101 dropped 103 C:\Users\user\AppData\Local\...\tmp6EFE.tmp, XML 10->103 dropped 105 C:\Users\user\AppData\...\PO091K43Z9.exe.log, ASCII 10->105 dropped 153 Drops PE files to the document folder of the user 10->153 155 Uses schtasks.exe or at.exe to add and modify task schedules 10->155 157 Adds a directory exclusion to Windows Defender 10->157 20 PO091K43Z9.exe 1 5 10->20         started        24 powershell.exe 19 10->24         started        26 powershell.exe 21 10->26         started        34 2 other processes 10->34 159 Injects a PE file into a foreign processes 14->159 28 schtasks.exe 14->28         started        30 msdcsc.exe 14->30         started        32 msdcsc.exe 14->32         started        161 Machine Learning detection for dropped file 16->161 signatures6 process7 file8 89 C:\Users\user\Documents\MSDCSC\msdcsc.exe, PE32 20->89 dropped 91 C:\Users\user\AppData\Local\Temp\STUB01.EXE, PE32 20->91 dropped 93 C:\Users\user\...\msdcsc.exe:Zone.Identifier, ASCII 20->93 dropped 123 Creates an undocumented autostart registry key 20->123 125 Writes to foreign memory regions 20->125 127 Allocates memory in foreign processes 20->127 129 Creates a thread in another existing process (thread injection) 20->129 36 msdcsc.exe 20->36         started        40 STUB01.EXE 20->40         started        43 cmd.exe 20->43         started        53 2 other processes 20->53 45 conhost.exe 24->45         started        47 conhost.exe 26->47         started        49 conhost.exe 28->49         started        51 conhost.exe 34->51         started        signatures9 process10 dnsIp11 109 192.168.2.1 unknown unknown 36->109 131 Machine Learning detection for dropped file 36->131 133 Adds a directory exclusion to Windows Defender 36->133 135 Injects a PE file into a foreign processes 36->135 55 msdcsc.exe 36->55         started        59 powershell.exe 36->59         started        61 powershell.exe 36->61         started        63 schtasks.exe 36->63         started        111 lisajennyjohn.ddns.net 91.193.75.133, 22233, 49705, 49706 DAVID_CRAIGGG Serbia 40->111 95 C:\Program Files (x86)\...\dhcpmon.exe, PE32 40->95 dropped 97 C:\Users\user\AppData\Roaming\...\run.dat, data 40->97 dropped 137 Antivirus detection for dropped file 40->137 139 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->139 65 schtasks.exe 40->65         started        67 schtasks.exe 40->67         started        141 Uses cmd line tools excessively to alter registry or file data 43->141 69 conhost.exe 43->69         started        71 attrib.exe 43->71         started        143 Deletes itself after installation 53->143 73 2 other processes 53->73 file12 signatures13 process14 dnsIp15 113 mjosh6995.ddns.net 127.0.0.1 unknown unknown 55->113 145 Changes security center settings (notifications, updates, antivirus, firewall) 55->145 147 Writes to foreign memory regions 55->147 149 Allocates memory in foreign processes 55->149 151 3 other signatures 55->151 75 STUB01.EXE 55->75         started        77 notepad.exe 55->77         started        79 conhost.exe 59->79         started        81 conhost.exe 61->81         started        83 conhost.exe 63->83         started        85 conhost.exe 65->85         started        87 conhost.exe 67->87         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 03:23:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jzlrhtxmc4hijsxje6nvzcnp2umtrnjvfz7tsprl2veqzsovurya._file
Verdict:
malicious
Similar samples:
2b733276f28e8a547f7e2197e1be209c13718d5371922855264d1a5511ca66a5
NanoCore
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69
NanoCore
e7534a0a853b8f9adac6cdf14f130c09c955b913726507f28a18c1e6700820aa
NanoCore
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet family:nanocore botnet:febuary 2023 evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230227-hqcz4sca8w/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Windows security modification
Disables Task Manager via registry modification
Sets file to hidden
Darkcomet
Modifies WinLogon for persistence
Modifies security service
NanoCore
Windows security bypass
Malware Config
C2 Extraction:
mjosh6995.ddns.net:55665
lisajennyjohn.ddns.net:22233
mjosh6995.ddns.net:22233
Unpacked files
SH256 hash:
643d9bebec4f7e42d49dc4ac8c28359fdf157383e21ec7c02b69273ba28ae73a
MD5 hash:
b669c5c6c18c46273be1d731904080ac
SHA1 hash:
7f5c66e657f1580c6b5791cf5745c3d8b4aec2a8
Detections:
win_nanocore_w0
Create hunting rule
win_darkcomet_auto
Create hunting rule
win_darkcomet_g0
Create hunting rule
win_darkcomet_a0
Create hunting rule
Link:
https://www.unpac.me/results/29e8e5c5-a709-48b1-80d3-d04bb29bd485/
SH256 hash:
897e37daafa0f5d04096c866bbc315ad251526e31107cb0ef3d15c0cd43e3f8d
MD5 hash:
3af9d22e096b8d00cc42770c1d7b474d
SHA1 hash:
730064d722e453330dadeadd2a8f1ab1f048ef76
Link:
https://www.unpac.me/results/29e8e5c5-a709-48b1-80d3-d04bb29bd485/
SH256 hash:
3a516c63128ef22abdf1bcd4cdb1a52c155e5945259c2b7a874d575c566662fe
MD5 hash:
1d05d6f79a20d62c33fc13e6b1f07708
SHA1 hash:
23619ed2891e44d5f8401b3cb4cd9671df064fb1
Link:
https://www.unpac.me/results/29e8e5c5-a709-48b1-80d3-d04bb29bd485/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/29e8e5c5-a709-48b1-80d3-d04bb29bd485/
SH256 hash:
219a6c7ea5bb974cc9fdf265d13d843e6ba83f2a1ec07744d4b9ca3a6ca90f38
MD5 hash:
88dd74207f3882979e21e26bf33a0e9c
SHA1 hash:
02a2db1bcbdb700f16c730a45d6ca62f805af8d4
Link:
https://www.unpac.me/results/29e8e5c5-a709-48b1-80d3-d04bb29bd485/
SH256 hash:
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35
MD5 hash:
fe99ea6d3ec88c3559aabf7ff17fe01a
SHA1 hash:
da8c19d38a772c10a450ed20ee3eade532b7faf6
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/29e8e5c5-a709-48b1-80d3-d04bb29bd485/
SH256 hash:
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470
MD5 hash:
543dc2f0c0753a513107e1a927ae99d5
SHA1 hash:
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0
Link:
https://www.unpac.me/results/29e8e5c5-a709-48b1-80d3-d04bb29bd485/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e5713ceec17/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369932/

Comments