MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 607e18119b44e869812cccf8b2e7707d63024bde7ef1fc82da9086d2e21bf5d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 607e18119b44e869812cccf8b2e7707d63024bde7ef1fc82da9086d2e21bf5d4
SHA3-384 hash: b5837da641eee0fa0731e491f76a732b3a1bbd9f77e89c5a515075c9e609782c298ee8fd49eb5611713345efd246189e
SHA1 hash: a320327d737baae6a939f446ff604de4e9fe1ffd
MD5 hash: a0a38ff93ae51c3d2794e48f2d9d552d
humanhash: floor-september-angel-single
File name:A0A38FF93AE51C3D2794E48F2D9D552D.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'470'464 bytes
First seen:2025-10-24 00:20:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:/hbFVNs50LFf8v/yWqDtXKk0gdUQMBQJR3mw5/rIbdct2Gyc7v:p1s5zyW2dKEqQH1mwpIbdcUfc
Threatray 26 similar samples on MalwareBazaar
TLSH T12C6522A6B301B06DCC9B82726875CEB2E8A63C197B51871FE247374CBD3E24B4F05995
TrID 28.5% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
184.105.237.196:5001

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
184.105.237.196:5001 https://threatfox.abuse.ch/ioc/1625888/

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
A0A38FF93AE51C3D2794E48F2D9D552D.exe
Verdict:
Malicious activity
Analysis date:
2025-10-24 00:22:42 UTC
Tags:
nanocore auto-reg
Link:
https://app.any.run/tasks/6afe1c58-6198-4d1a-a448-bbd6c2285575

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33998/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fac6763bdc93eb0563b09c
Tags:
injector virus msil
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/68fac66ac85c5c5697344f79/reports/7c5ee66f-b455-4265-9e6b-ff30d84fb024/overview
Verdict:
Malicious
Labled as:
CryptPack.Generic
Link:
https://www.hybrid-analysis.com/sample/607e18119b44e869812cccf8b2e7707d63024bde7ef1fc82da9086d2e21bf5d4
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-20T18:29:00Z UTC
Last seen:
2025-10-20T20:31:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.Inject.abynz PDM:Trojan.Win32.Generic Trojan.Win32.NanoBot.sb Trojan.MSIL.Crypt.sb Backdoor.NanoBot.TCP.C&C Backdoor.MSIL.NanoBot.sb Backdoor.Agent.TCP.C&C Trojan.Win32.Gorgon.sb HEUR:Backdoor.MSIL.NanoBot.gen
Link:
https://opentip.kaspersky.com/607e18119b44e869812cccf8b2e7707d63024bde7ef1fc82da9086d2e21bf5d4/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a20e7d38-6bfd-46eb-b69c-158fac9e8325
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1801017
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: NanoCore
Suricata IDS alerts for network traffic
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1801017 Sample: f8pKS0ZyzZ.exe Startdate: 24/10/2025 Architecture: WINDOWS Score: 100 41 elumadns.eluma101.com 2->41 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 10 other signatures 2->53 9 explorer.exe 2->9         started        11 Calculator.exe 5 2->11         started        14 f8pKS0ZyzZ.exe 16 2->14         started        17 Calculator.exe 2->17         started        signatures3 process4 file5 19 Calculator.exe 1 6 9->19         started        65 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->65 67 Injects a PE file into a foreign processes 11->67 22 Calculator.exe 11->22         started        37 C:\Users\user\AppData\...\Calculator.exe, PE32 14->37 dropped 39 C:\Users\user\AppData\...\f8pKS0ZyzZ.exe.log, ASCII 14->39 dropped 24 explorer.exe 1 14->24         started        26 Calculator.exe 17->26         started        signatures6 process7 signatures8 55 Antivirus detection for dropped file 19->55 57 Multi AV Scanner detection for dropped file 19->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->59 61 Injects a PE file into a foreign processes 19->61 28 Calculator.exe 8 19->28         started        63 Detected Nanocore Rat 22->63 process9 dnsIp10 43 elumadns.hopto.org 184.105.237.196, 49720, 49721, 49722 RVBA2016US United States 28->43 45 elumadns.eluma101.com 28->45 35 C:\Users\user\AppData\Roaming\...\run.dat, data 28->35 dropped 69 Detected Nanocore Rat 28->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->71 33 dw20.exe 28->33         started        file11 signatures12 process13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/607e18119b44e869812cccf8b2e7707d63024bde7ef1fc82da9086d2e21bf5d4
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/607e18119b44e869812cccf8b2e7707d63024bde7ef1fc82da9086d2e21bf5d4/
Verdict:
Malicious
Threat:
Family.NANOCORE
Link:
https://tip.neiki.dev/file/607e18119b44e869812cccf8b2e7707d63024bde7ef1fc82da9086d2e21bf5d4
Threat name:
ByteCode-MSIL.Hacktool.Boilod
Create hunting rule
Status:
Suspicious
First seen:
2025-10-20 20:42:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
74
AV detection:
19 of 24 (79.17%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mb7bqem3itugtajmzt4lfz3qpvrqes66p3y7zaw2scdnfyq36xka._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1177ec2b75ba3937ac2b1505580450f3ac343ac81cc4fc00837138096c1c0dc4
NanoCore
57e0c6472d476a79e173059c667acab9743f55102ad8fc2bc1d721c84f408de7
NanoCore
5935b8bd4207083126b8f404b375945cfe3c0b61650014101de4eefa8cd80ee4
NanoCore
5942c53271713129e5c59599285a1076175d600b5243abc6740f684f913aecb4
NanoCore
607e18119b44e869812cccf8b2e7707d63024bde7ef1fc82da9086d2e21bf5d4
NanoCore
903a87f5fb8e4603adce93efe1f974c7154681017ee28abfc0990323837134bd
NanoCore
c0023d67680cf47fea242fd110ebcaa4876af8efbac3153cde5d9dcd03efab3a
NanoCore
error
NanoCore
+ 16 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/251024-am895scn4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Executes dropped EXE
NanoCore
Nanocore family
Malware Config
C2 Extraction:
elumadns.eluma101.com:5001
elumadns.hopto.org:5001
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fd9fa2c9-23ba-432a-9350-e345e820fe54
Unpacked files
SH256 hash:
607e18119b44e869812cccf8b2e7707d63024bde7ef1fc82da9086d2e21bf5d4
MD5 hash:
a0a38ff93ae51c3d2794e48f2d9d552d
SHA1 hash:
a320327d737baae6a939f446ff604de4e9fe1ffd
Link:
https://www.unpac.me/results/c0554b1e-48cb-4051-8a77-4d3c66dde7b1/
SH256 hash:
7a601a48779a57e58c99d19ba4168336964db045c5e82b01eb3c0cee62a33e63
MD5 hash:
f08c6fc1954060b5cd238c93b9cd3afd
SHA1 hash:
27196c20ffbefae438638f3dbe49763890621c6e
Link:
https://www.unpac.me/results/c0554b1e-48cb-4051-8a77-4d3c66dde7b1/
SH256 hash:
3830654d8fc643de5bc8880ab478583ddff6b87e1869d0c4fbe3f398f28cd2db
MD5 hash:
b2dad430fa831a121ffa544d83b89a13
SHA1 hash:
34ecc05d7168e4cafbd94e74c155df742ba83865
Link:
https://www.unpac.me/results/c0554b1e-48cb-4051-8a77-4d3c66dde7b1/
SH256 hash:
254954644b1cc2426cf7273970f86124beefca526df2df34bd4fc8031deb9957
MD5 hash:
efa52305b41907aab2f1a83c0698810d
SHA1 hash:
50194e54db63a1ed41eff5ae3e67d15a9b52b243
Detections:
win_nanocore_w0
Create hunting rule
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
Nanocore_RAT_Gen_2
Create hunting rule
Nanocore_RAT_Feb18_1
Create hunting rule
Nanocore
Create hunting rule
MALWARE_Win_NanoCore
Create hunting rule
Link:
https://www.unpac.me/results/c0554b1e-48cb-4051-8a77-4d3c66dde7b1/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/607e18119b44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/607e18119b44e869812cccf8b2e7707d63024bde7ef1fc82da9086d2e21bf5d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33998/

Comments