MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5999f4881e035a5c564ee3bcdf39d04082978f3e0bbee2c27b0fcc30493da60f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5999f4881e035a5c564ee3bcdf39d04082978f3e0bbee2c27b0fcc30493da60f
SHA3-384 hash: 1da3283c4668202313bbab3cb1a46b6529d0f3b56c34b55d8885d3b7f2adeab59fabe75aef46916399ddb4eaee5f3dfc
SHA1 hash: 040a4175b56814b84d10f873e9be1d6e8c06a10e
MD5 hash: c5e6c5c7a14f048e25bb1799540202ca
humanhash: oregon-delaware-delaware-golf
File name:02-14-2023-0765567887img.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:615'936 bytes
First seen:2023-02-14 08:00:52 UTC
Last seen:2023-02-14 09:36:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:9yFFZ6yeu3Mg20ZB3DjhFHiGlJ1UYhEmXj4gc7B+7OML3t+ALv:K6Ly2E/H7CYhEhxRAL
Threatray 6'596 similar samples on MalwareBazaar
TLSH T171D41265635B11B7CBE8ACF169A3680623B766767502FBCB9C0DB8E50ACE74003407E7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8060e0e080204000 (7 x AgentTesla, 6 x Formbook, 3 x Loki)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
91.193.75.131:5455

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
02-14-2023-0765567887img.exe
Verdict:
Malicious activity
Analysis date:
2023-02-14 08:02:07 UTC
Tags:
nanocore trojan rat
Link:
https://app.any.run/tasks/a02d5ca1-0b62-42c0-bd9a-157155ce6835

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/365486/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.19184.1051.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63eb3fbf97e87dd9097f020a/reports/170752c8-43b4-4004-a869-5618bf646a3a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5999f4881e035a5c564ee3bcdf39d04082978f3e0bbee2c27b0fcc30493da60f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/306fdb46-395d-4002-b68b-03a1af0e8139
Result
Threat name:
Nanocore, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1174161
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nanocore RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 806951 Sample: 02-14-2023-0765567887img.exe Startdate: 14/02/2023 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 9 other signatures 2->73 8 02-14-2023-0765567887img.exe 7 2->8         started        12 uHLSCyXIbP.exe 5 2->12         started        14 RegSvcs.exe 2 2->14         started        16 2 other processes 2->16 process3 file4 55 C:\Users\user\AppData\...\uHLSCyXIbP.exe, PE32 8->55 dropped 57 C:\Users\...\uHLSCyXIbP.exe:Zone.Identifier, ASCII 8->57 dropped 59 C:\Users\user\AppData\Local\...\tmp441E.tmp, XML 8->59 dropped 61 C:\Users\...\02-14-2023-0765567887img.exe.log, ASCII 8->61 dropped 77 Uses schtasks.exe or at.exe to add and modify task schedules 8->77 79 Writes to foreign memory regions 8->79 81 Adds a directory exclusion to Windows Defender 8->81 18 RegSvcs.exe 1 12 8->18         started        23 powershell.exe 20 8->23         started        25 schtasks.exe 1 8->25         started        83 Multi AV Scanner detection for dropped file 12->83 85 Machine Learning detection for dropped file 12->85 87 Injects a PE file into a foreign processes 12->87 27 schtasks.exe 12->27         started        29 RegSvcs.exe 12->29         started        31 conhost.exe 14->31         started        33 conhost.exe 16->33         started        35 conhost.exe 16->35         started        signatures5 process6 dnsIp7 63 5455.hopto.org 105.113.41.243, 5455 VNL1-ASNG Nigeria 18->63 65 91.193.75.131, 49726, 49727, 49729 DAVID_CRAIGGG Serbia 18->65 51 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->51 dropped 53 C:\Users\user\AppData\Roaming\...\run.dat, data 18->53 dropped 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->75 37 schtasks.exe 1 18->37         started        39 schtasks.exe 1 18->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        file8 signatures9 process10 process11 47 conhost.exe 37->47         started        49 conhost.exe 39->49         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5999f4881e035a5c564ee3bcdf39d04082978f3e0bbee2c27b0fcc30493da60f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 08:01:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgm7jca6annfyvso4o6n6ooqicbjpdz6bo7ofqt3b7gdasj5uyhq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0d7657dfe01e296e3de4f00364dea848eda8a6e491f7beceb707b3e251bd68fe
NanoCore
4eb705a138ca2f8b57e12960c2e89be695c156affbd5bb6a606aa685cb3b0ebe
NanoCore
64432f4d06930d1f0233cd77e59e57bbbd878d2a71e4c5850ee2baa315e7bafb
NanoCore
65fc6dce29c76aa98c946748b40ef8dae7278002fb6edea0c82c4fc94e03b41a
NanoCore
7a2d285fe35b5030edfc71be23f97d3dc8ace48f6a7183135bd59c14d8dfd33f
NanoCore
8b6a0f607c8aa32a95838d10b496bdbd68b86a457ef49f8043badb21f5b12b2a
NanoCore
93e9640423fb4afef5c9255f3489af80b7961696350cf0c30cb295711bb50a8e
NanoCore
ae773800646505a74d624672b6a3bf5d74c92dc78d7d1fdb9df1842d692c21ab
NanoCore
da0416690a0f0bdc34e5215285d224ba895141f1da78f6512465bd11d8ed4892
NanoCore
+ 6'586 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230214-jwjwaabb7t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
5455.hopto.org:5455
91.193.75.131:5455
Unpacked files
SH256 hash:
5894012a30ba8e5dc4fe518426cdf3b95f1225a049d08abf13a64ea8766bd515
MD5 hash:
6c236cc16248f8646a29883a95dba972
SHA1 hash:
c602561e64094b5c2940368c599e4bee3fb629a2
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/30c4c936-d846-4a9c-ba9d-511f03e56935/
SH256 hash:
160bdc024417823dfc0a8447713a05560a06ac0cb212175794d1758ff2703662
MD5 hash:
7d5b7fa5e2db40f518e116b1fd3a4b62
SHA1 hash:
596334514d92fd48bac29dee11f17827458645ea
Link:
https://www.unpac.me/results/30c4c936-d846-4a9c-ba9d-511f03e56935/
SH256 hash:
c662c80213e340710f896f6cd4e2c0fed3ebaf090758709a944caeddb4767133
MD5 hash:
5bc92c10ad0163693d76aa8bb7256761
SHA1 hash:
c0e6dad34144c45269963f6568027ba46a239f58
Link:
https://www.unpac.me/results/30c4c936-d846-4a9c-ba9d-511f03e56935/
SH256 hash:
46cb32256dba295b72212185d3bf29e54de9f78fe32a8e43c82288285c3bf721
MD5 hash:
453d8d23d417dacecac4ad0235d2b420
SHA1 hash:
6aaffef79f32f151aef9d5c548ac9055ea6c2f35
Link:
https://www.unpac.me/results/30c4c936-d846-4a9c-ba9d-511f03e56935/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/30c4c936-d846-4a9c-ba9d-511f03e56935/
SH256 hash:
5999f4881e035a5c564ee3bcdf39d04082978f3e0bbee2c27b0fcc30493da60f
MD5 hash:
c5e6c5c7a14f048e25bb1799540202ca
SHA1 hash:
040a4175b56814b84d10f873e9be1d6e8c06a10e
Link:
https://www.unpac.me/results/30c4c936-d846-4a9c-ba9d-511f03e56935/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5999f4881e03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5999f4881e035a5c564ee3bcdf39d04082978f3e0bbee2c27b0fcc30493da60f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/365486/

Comments