MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ea70ec2d087e6cd7080f733e6f943b0e0faa5c32fcfc4962043d954ba134820. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ea70ec2d087e6cd7080f733e6f943b0e0faa5c32fcfc4962043d954ba134820
SHA3-384 hash: e93a3e1817b64456fd1c5185a318b338d5afb0bb2f9e644b10cbc3e62802b95573b08651bee5edce85268d71c72c2dd8
SHA1 hash: 58fd74a230219d610166df6d4703a12213fa12db
MD5 hash: a7715da2d0413458ea41b21291fddfa7
humanhash: floor-table-solar-dakota
File name:a7715da2d0413458ea41b21291fddfa7.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:903'680 bytes
First seen:2022-08-14 17:10:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:7bqDxgV2iNq+1McbLwr7ekTMEMAjk0VzcEIdEdak4eAwRXIbUDbLDuXkQnGkN7:7bCxgV10wLi4mztIdzre9IbUDHDl
Threatray 6'569 similar samples on MalwareBazaar
TLSH T16315AE5BBF10324DC893A975DE4B7C61A7F22C6E3226D07A3513391A8AFF742DA11076
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
79.134.225.18:9034

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.18:9034 https://threatfox.abuse.ch/ioc/843169/

Intelligence

File Origin
# of uploads :
1
# of downloads :
533
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
a7715da2d0413458ea41b21291fddfa7.exe
Verdict:
Malicious activity
Analysis date:
2022-08-14 17:12:57 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/505155d3-13b7-4689-8917-ddaa0c8af062

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298507/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed
Link:
https://www.filescan.io/uploads/62f92ce2080024921b775f16/reports/8e607ab2-9003-4115-86fe-ea9278e5292a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04b2c868-94a5-4ed0-8961-6278409d15d6
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1051199
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 683709 Sample: Ww2aH475Vz.exe Startdate: 14/08/2022 Architecture: WINDOWS Score: 100 58 express104.ddns.net 2->58 62 Snort IDS alert for network traffic 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 13 other signatures 2->68 9 Ww2aH475Vz.exe 7 2->9         started        13 RegSvcs.exe 2 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 50 C:\Users\user\AppData\Roaming\kPwLZFlJ.exe, PE32 9->50 dropped 52 C:\Users\...\kPwLZFlJ.exe:Zone.Identifier, ASCII 9->52 dropped 54 C:\Users\user\AppData\Local\...\tmpA98B.tmp, XML 9->54 dropped 56 C:\Users\user\AppData\...\Ww2aH475Vz.exe.log, ASCII 9->56 dropped 72 Uses schtasks.exe or at.exe to add and modify task schedules 9->72 74 Writes to foreign memory regions 9->74 76 Adds a directory exclusion to Windows Defender 9->76 78 Injects a PE file into a foreign processes 9->78 19 RegSvcs.exe 1 12 9->19         started        24 powershell.exe 25 9->24         started        26 schtasks.exe 1 9->26         started        28 conhost.exe 13->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        signatures6 process7 dnsIp8 60 express104.ddns.net 79.134.225.18, 49743, 49744, 49760 FINK-TELECOM-SERVICESCH Switzerland 19->60 46 C:\Users\user\AppData\Roaming\...\run.dat, data 19->46 dropped 48 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->48 dropped 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->70 34 schtasks.exe 1 19->34         started        36 schtasks.exe 19->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        file9 signatures10 process11 process12 42 conhost.exe 34->42         started        44 conhost.exe 36->44         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5ea70ec2d087e6cd7080f733e6f943b0e0faa5c32fcfc4962043d954ba134820/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-13 15:30:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
29 of 41 (70.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2tq5qwqq7tm24ea64z6n6kdwdqpvjodf7h4jfraipmvjoqtjaqa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
njrat
Create hunting rule
Similar samples:
0289b5c2829170ad4bb04daedbd3db5e56474415aee109a91a66ba9fa8a7a179
NanoCore
42160df191b53ba66deac9a1dcb81f52f1712831a07d359d7c4bf9b5574c4707
NanoCore
66b83ea08aae693557315e3e62fcdc14e3ab57c51d43a10a4bacf1d5e05c6988
NanoCore
90a44b79038b4ea3b3d8303e6761e4fd142c26f0009cc156cbeecd6cc4f5a729
NanoCore
923527e188f407ba2bba6d1570506c474519970bc29fbee47d16d01636e7a338
NanoCore
ede54ddd1ad0cc12aeb64653aee9b3d056263312bf2221ee7f640fd3fcbf11cb
NanoCore
efc5e38081320031708585d42e346cd6080b7b0bf8d16f5872f2fbe457c3c0ca
NanoCore
f7c7284fe582f8d0e87f505786abe85afe42706b481320745b1cf8cdb8420b03
NanoCore
f8b172fef8728a9ec1ad7b73e5f59c6750d53244dbce42a769c910b673669236
NanoCore
+ 6'559 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220814-vp9c5sbbh5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Uses the VBS compiler for execution
NirSoft MailPassView
Nirsoft
NanoCore
Malware Config
C2 Extraction:
express104.ddns.net:9034
79.134.225.18:9034
Unpacked files
SH256 hash:
fd80c610dd3e5e3d1dea2168638479064f3f54470cc7ccb0faa36c8b8bc50bbb
MD5 hash:
680fb228280164a7890ac53a32672410
SHA1 hash:
b0d2e44f43f6de91f211339565b73ec7e1d7b816
Link:
https://www.unpac.me/results/8ba1a486-a9d9-4693-89e7-8be34703589f/
SH256 hash:
ce2676bd9a5ece1ba67abb561916e9b0a5803b0070b3a23496baad1aea0dd7dd
MD5 hash:
4779f38b896fec46823fe2119768d984
SHA1 hash:
48876dda2262924d1f09de328dc24e0bedb4ee4e
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/8ba1a486-a9d9-4693-89e7-8be34703589f/
SH256 hash:
642d5b8aa52ca35d8386a5b4302aa503d330753426dd950e6c2a47efdbb4b7e2
MD5 hash:
2e85fdecd9837f0895ee6568f97b3cfd
SHA1 hash:
a4df92cf9adfa1c7d26f6d19923cbfa4cbfc596f
Link:
https://www.unpac.me/results/8ba1a486-a9d9-4693-89e7-8be34703589f/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/8ba1a486-a9d9-4693-89e7-8be34703589f/
SH256 hash:
c3f0aa07ab786ca3ffdcf2b2e3ea6e32cf1ee6d35e3993b54c4b28bec418cc41
MD5 hash:
930704d9ee16bbad6e60751e20410661
SHA1 hash:
0ffc7872aca6db92bf8906f44cb00a6c27be9c30
Link:
https://www.unpac.me/results/8ba1a486-a9d9-4693-89e7-8be34703589f/
SH256 hash:
5ea70ec2d087e6cd7080f733e6f943b0e0faa5c32fcfc4962043d954ba134820
MD5 hash:
a7715da2d0413458ea41b21291fddfa7
SHA1 hash:
58fd74a230219d610166df6d4703a12213fa12db
Link:
https://www.unpac.me/results/8ba1a486-a9d9-4693-89e7-8be34703589f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ea70ec2d087e6cd7080f733e6f943b0e0faa5c32fcfc4962043d954ba134820

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298507/

Comments