MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6822e60d84c96366253c77aa15337f23d4b4b31ae0b72e52b6a2a9b310af03ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6822e60d84c96366253c77aa15337f23d4b4b31ae0b72e52b6a2a9b310af03ba
SHA3-384 hash: 5cf30f4f3d43f7de38d2285406f2fed40e681e3353406dc52395083239564f48b48b4e5862d092ea273143c79e39f282
SHA1 hash: 697dab0f7cbea2cade13e6f93b579925da61b961
MD5 hash: 28a34c7a99cab655242ae97d6d119fbb
humanhash: utah-sad-twelve-arizona
File name:HEUR-Trojan-PSW.MSIL.Stealer.gen-6822e60d84c9.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:990'208 bytes
First seen:2022-12-30 12:10:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:xSwxZ0EG3KQyTs4XlhyI/vbUvRosJCX1P4DCSJLI1EeoTInsRV8trhb:xSRosJA0C51EeoTI9h
Threatray 10'391 similar samples on MalwareBazaar
TLSH T147250E3E6AA42A27B777D2644681C015F8BC91DB3A395CD742C7698C350E8027EE7F2D
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
45.137.20.4:56648

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
HEUR-Trojan-PSW.MSIL.Stealer.gen-6822e60d84c9.exe
Verdict:
Malicious activity
Analysis date:
2022-12-30 12:11:08 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/7199340d-5b72-41e6-a9a1-587d8e887aa0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Ratx-9880008-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63aed5580e926711fd75c8bf/reports/f6683ebe-7e42-4bb7-a15a-a871c0030955/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/530dff89-7a6d-4c54-8298-49a472c95767
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1143175
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 775905 Sample: HEUR-Trojan-PSW.MSIL.Steale... Startdate: 30/12/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 9 other signatures 2->42 7 HEUR-Trojan-PSW.MSIL.Stealer.gen-6822e60d84c9.exe 7 2->7         started        11 JHfZZUkpdLoEHi.exe 2 2->11         started        process3 file4 22 C:\Users\user\AppData\...\JHfZZUkpdLoEHi.exe, PE32 7->22 dropped 24 C:\...\JHfZZUkpdLoEHi.exe:Zone.Identifier, ASCII 7->24 dropped 26 C:\Users\user\AppData\Local\...\tmp74BA.tmp, XML 7->26 dropped 28 HEUR-Trojan-PSW.MS...822e60d84c9.exe.log, ASCII 7->28 dropped 44 Uses schtasks.exe or at.exe to add and modify task schedules 7->44 46 Injects a PE file into a foreign processes 7->46 13 HEUR-Trojan-PSW.MSIL.Stealer.gen-6822e60d84c9.exe 9 7->13         started        18 schtasks.exe 1 7->18         started        48 Antivirus detection for dropped file 11->48 50 Multi AV Scanner detection for dropped file 11->50 52 Machine Learning detection for dropped file 11->52 signatures5 process6 dnsIp7 32 discoveryvipshinjiru2law.ooguy.com 45.137.20.4, 49698, 49699, 49700 ROOTLAYERNETNL Netherlands 13->32 34 192.168.2.1 unknown unknown 13->34 30 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 13->30 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->54 20 conhost.exe 18->20         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6822e60d84c96366253c77aa15337f23d4b4b31ae0b72e52b6a2a9b310af03ba/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 03:40:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=naromdmezfrwmjj4o6vbkm37epkljmy24c3s4uvwuku3gefpao5a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
40c935ce8104afa8a498a4bde6146fb548e202370212ebbb7851ed443b3af510
NanoCore
62cb486b54247e61986157ccd85361327b06ed60fe384afc9c8738fee1588c8f
NanoCore
951791738b8256d710fb1c7b0960a4ff30636371ed39346a93bc5a9500614769
NanoCore
a7693434e775cf120cec21c7380f70b9e8914f7dd02019e953d5af4af0147a39
NanoCore
c149c63edd6c455c6b6bbc9f95d6c4145f6c5e20570a19584f1041f8b410f3e0
NanoCore
d12ed131337f7c91df923f4c677ac2a50359836a60aee94bed3d1e7e09528a27
NanoCore
d2403e6a7d524f652e38af89405a91abe3312b03b49e8ded8e826975d622ff3e
NanoCore
edbcf263dcdc843c1f1adf5f8c8c0e476f4d5d8da6771c729b863f55033f8d75
NanoCore
+ 10'381 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221230-pck7wsag6w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
discoveryvipshinjiru2law.ooguy.com:56648
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1480953c-b596-430a-9d4e-ddc08d786460
Unpacked files
SH256 hash:
38e9b42d5fcdc264186aaf51537a3989e01996c7046380f3d210254012b98b50
MD5 hash:
447dd3ed755116b17365482935e4b1d8
SHA1 hash:
f742f01cfc30622dc9c5dc127436e207606395b5
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/b3842ac2-e4e0-4738-a12e-b62b0b7df9a8/
SH256 hash:
5b765bddc7debabc4196fb8f403b3a5c5cdbb5a3cdfe57b960667d404cc03cf5
MD5 hash:
b782359d8fe8d053c565c7feb6e7dc85
SHA1 hash:
87c8a4cc1b433a6d2ab26561e65fc77dc5f795e5
Link:
https://www.unpac.me/results/b3842ac2-e4e0-4738-a12e-b62b0b7df9a8/
SH256 hash:
5eee647d41c7c1b9c4e9ae3a0f5ddd92a2db77a63d76dfc3c7acd3cc035f8b29
MD5 hash:
250a9774c9e041c124afa496c23e33fc
SHA1 hash:
28cb9579c5828d621024a79ac21d10dc7b3488a5
Link:
https://www.unpac.me/results/b3842ac2-e4e0-4738-a12e-b62b0b7df9a8/
SH256 hash:
82a4065578bf324c5a382d4e43510bfe37dc2d4accaa25792aecea77c7387714
MD5 hash:
ecff0ff8f308ad9a7ab4e8d8c6632f1f
SHA1 hash:
b2149cd8ad0767e9ee467d85f7f5d97494ecb07a
Link:
https://www.unpac.me/results/b3842ac2-e4e0-4738-a12e-b62b0b7df9a8/
SH256 hash:
6822e60d84c96366253c77aa15337f23d4b4b31ae0b72e52b6a2a9b310af03ba
MD5 hash:
28a34c7a99cab655242ae97d6d119fbb
SHA1 hash:
697dab0f7cbea2cade13e6f93b579925da61b961
Link:
https://www.unpac.me/results/b3842ac2-e4e0-4738-a12e-b62b0b7df9a8/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6822e60d84c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6822e60d84c96366253c77aa15337f23d4b4b31ae0b72e52b6a2a9b310af03ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments