MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 531158b37cc8bfb82ee3f118e9525f132fddd14e52df5a30ae1563c4ccf5d176. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 531158b37cc8bfb82ee3f118e9525f132fddd14e52df5a30ae1563c4ccf5d176
SHA3-384 hash: 0477023133c4309c7a04794c7d5a3b0c01a6d380c195eb61dc3610812efef933a4894a60fc9420b4fefe4f9e9f00867c
SHA1 hash: 8ed218c8b1f287a39c710b09009af1e11d33074d
MD5 hash: 3a0872546e9e83b0c049f3c57d003e4d
humanhash: bravo-stairway-mike-mango
File name:BL-COA-PL-CI_09876543234456787‮rcs.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'207'808 bytes
First seen:2021-08-23 16:44:49 UTC
Last seen:2021-08-23 18:14:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:CWESXLuQ/VP24GgcLQsLjBN9aTom5Ouj+Oh3jwgeE2ELDFE8AvZNGzHKEU9v:btPujf9aTXEujwvEBDq8eZwzHM
Threatray 2'927 similar samples on MalwareBazaar
TLSH T1DE457D29B34077E6E42A0F3B4832168C03F99A477636F75FA8CE36D85C35616871B693
dhash icon 2ce4c5ccccc8c0d4 (2 x NanoCore)
Reporter Racco42
Tags:exe NanoCore RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
512
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FHU.genEldorado.115.6836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Connection attempt
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Creating a file in the Program Files subdirectories
Deleting a recently created file
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a67d61f-ad12-4897-8e5c-f16932ec1c49
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/837705
Signature
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 470136 Sample: BL-COA-PL-CI_09876543234456... Startdate: 23/08/2021 Architecture: WINDOWS Score: 80 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Detected Nanocore Rat 2->37 39 2 other signatures 2->39 7 BL-COA-PL-CI_09876543234456787rcs.exe 15 7 2->7         started        12 esgt.exe 14 3 2->12         started        14 esgt.exe 2->14         started        process3 dnsIp4 31 www.google.com 216.58.215.228, 443, 49735, 49739 GOOGLEUS United States 7->31 25 C:\Users\user\AppData\Roaming\...\esgt.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->27 dropped 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->41 16 esgt.exe 2 7->16         started        19 cmd.exe 1 7->19         started        file5 signatures6 process7 dnsIp8 29 www.google.com 16->29 21 conhost.exe 19->21         started        23 reg.exe 1 1 19->23         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/531158b37cc8bfb82ee3f118e9525f132fddd14e52df5a30ae1563c4ccf5d176/
Threat name:
Win32.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 16:45:11 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
203ac3379fb9ca3dd9c50d81234c753493ac422538c30d9a9ea07cb5f5042a7b
NanoCore
2df55ccbab067e73a2fa36685a48b14d0897f845b7ff25abd75f609fd0dbe415
NanoCore
5a9851575ac7feaabfd484aee3296eea2b2b18c04609a8fe1e1953f847f2c428
NanoCore
69fa6ebff614598a1243cb00bc9a7c69e60fca3c3fd93da4157c418d202f1542
NanoCore
72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
NanoCore
914c79c23d30b4df795779800b6e14ac42bec2dc618d11d7c0b526960fc6283c
NanoCore
b2fa4bbff4b67fef522c3b6cbc3a98b0c2f463045f19af5f96ee7a3c48ea9f93
NanoCore
bf3e15c717d14fd550a694f56e737bbb400f86ad5130afd39ed12ca54c4f154d
NanoCore
ca12d3f00e654a8c51e15c6eaed8330721e48f398f877fc0ed68a983d3191a37
NanoCore
f089621fa865a1406a660945a8376953b51dee4e39b1d7cde0ca17b27a0ac7eb
NanoCore
+ 2'917 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore agilenet evasion keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210823-zz9ggyv7p6/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
mondaynew22.3utilities.com:7401
Unpacked files
SH256 hash:
531158b37cc8bfb82ee3f118e9525f132fddd14e52df5a30ae1563c4ccf5d176
MD5 hash:
3a0872546e9e83b0c049f3c57d003e4d
SHA1 hash:
8ed218c8b1f287a39c710b09009af1e11d33074d
Link:
https://www.unpac.me/results/ee4001e6-e398-4577-8e34-07ad83f5f503/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/531158b37cc8bfb82ee3f118e9525f132fddd14e52df5a30ae1563c4ccf5d176

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AlternativesExample1
Create hunting rule
Rule name:AlternativesExample1
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 531158b37cc8bfb82ee3f118e9525f132fddd14e52df5a30ae1563c4ccf5d176

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments