MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a0d28c367651440ee5d9713b788c399622c4acf3e5110c140f1c0b08154065f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a0d28c367651440ee5d9713b788c399622c4acf3e5110c140f1c0b08154065f
SHA3-384 hash: 8eaf92ec0853ae3b919c6c9ab781a2c4b4fe9d7599454b5cb120b76f947fd9490e3c878c451effb9ef27439b6be04086
SHA1 hash: 6cbccad8f8527f95b735b2eeaab75da63adabcd5
MD5 hash: 0234dccf5cd282757777a303abbb3ea1
humanhash: ten-gee-lake-fourteen
File name:Booking038.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'127'936 bytes
First seen:2022-07-19 04:25:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:g9nhLrtamMXgoKQonKrLgRGxiU7Hvh8tNXQudddagzUsiWh6XOfnbcaFg78Mjobr:SPt6g8ri+i2h8tWudddagzUsiWh6XOff
TLSH T1DA35EFF631C7401CD866BC359DB4ACA7F865DD72908E297EEF3D7A0A25F10BA0191386
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0800e2eeece2e468 (10 x AgentTesla, 4 x NanoCore, 2 x QuasarRAT)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
193.233.187.19:555

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.233.187.19:555 https://threatfox.abuse.ch/ioc/838635/

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291757/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.21547.28994.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d632d9b1b58ed7a17152ab/reports/d466faa4-8670-42d2-986b-cd44ddb7e449/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/acfa89af-a293-4514-82b4-1af6b53c24ec
Result
Threat name:
Nanocore, BluStealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036250
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
DLL side loading technique detected
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected BluStealer
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Generic Dropper
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668744 Sample: Booking038.exe Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 14 other signatures 2->80 8 Booking038.exe 1 8 2->8         started        12 Alxtsaxxv.exe 2->12         started        14 Alxtsaxxv.exe 2->14         started        process3 file4 44 C:\Users\user\AppData\...\Alxtsaxxv.exe, PE32 8->44 dropped 46 C:\Users\user\AppData\...\Zwhwbedtcjeaizn.exe, PE32 8->46 dropped 48 C:\Users\...\Alxtsaxxv.exe:Zone.Identifier, ASCII 8->48 dropped 50 C:\Users\user\AppData\...\Booking038.exe.log, ASCII 8->50 dropped 82 Encrypted powershell cmdline option found 8->82 16 Zwhwbedtcjeaizn.exe 4 8->16         started        20 InstallUtil.exe 3 11 8->20         started        23 powershell.exe 17 8->23         started        84 Antivirus detection for dropped file 12->84 86 Machine Learning detection for dropped file 12->86 signatures5 process6 dnsIp7 54 192.168.2.1 unknown unknown 16->54 58 Antivirus detection for dropped file 16->58 60 Machine Learning detection for dropped file 16->60 62 Encrypted powershell cmdline option found 16->62 70 3 other signatures 16->70 25 InstallUtil.exe 16->25         started        30 powershell.exe 17 16->30         started        32 InstallUtil.exe 16->32         started        34 InstallUtil.exe 16->34         started        40 C:\Users\Public\...\sqlite3.dll, PE32 20->40 dropped 42 C:\Users\Public\...\SQLite3_StdCall.dll, PE32 20->42 dropped 64 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->64 66 Tries to harvest and steal browser information (history, passwords, etc) 20->66 68 DLL side loading technique detected 20->68 72 2 other signatures 20->72 36 conhost.exe 23->36         started        file8 signatures9 process10 dnsIp11 56 193.233.187.19, 49851, 49857, 49859 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 25->56 52 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 25->52 dropped 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->88 38 conhost.exe 30->38         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a0d28c367651440ee5d9713b788c399622c4acf3e5110c140f1c0b08154065f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 04:26:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nigsrq3hmukeb3s5s4j3pcgdtfrcyswphzirbqka6halbakuazpq._file
Verdict:
malicious
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220719-e2hsysbbfm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
BluStealer
NanoCore
Malware Config
C2 Extraction:
193.233.187.19:555
Unpacked files
SH256 hash:
fc2a8fc096fa8179679f6cba31af1b24b50c626e8351bae7ee601026c50b5988
MD5 hash:
ab67850cfe9fa049f944d2be57970e1d
SHA1 hash:
e39c5b4244f65636434eae1fe0d639daeecff1f7
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
SH256 hash:
0e47945c8cdc6b6e9b6b5d2cbfced7fd6bc3e9138417be5ba961fe411f80c6d8
MD5 hash:
e98dcded2aff1d1c9f4ee2de751c62ea
SHA1 hash:
55eb760498af833d054a37ad119b5ff932ddd024
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
SH256 hash:
1be5c753b650a3893a2e65bce506515f31cc02f96d15c632a151520e5acd6e5e
MD5 hash:
96013280df3607417d7a104029e216c7
SHA1 hash:
50c0ac8111c9a32e227258c718331f5ea1cb2591
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
SH256 hash:
3c6f7e401bf4281595b1ba8cab550ff9a00e6d294ccc5d0c309507a2300b63f6
MD5 hash:
b3e32ac3a5eb629924af467547775054
SHA1 hash:
e1af5f85b3a72bae9033e4dfc74c8e5326173141
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
SH256 hash:
5222df9b462321a7ca13ba1ec8a007c00f9903c9b8d58a0abf022188fd73ee3f
MD5 hash:
8aba31b5784e7abe33019fc392011a8d
SHA1 hash:
dfa387f4b1f5ebdf4302c8daa174c32f7ef29924
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
SH256 hash:
38167f7408815f3a62959114d6b8520551b0d2657643093766c2d00ba9b0a519
MD5 hash:
077382db1620ae1136db009ba55e7b93
SHA1 hash:
a1261822b377113e046a8557aff1a0709e477054
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
SH256 hash:
8971aea194130b1b7b7e76b10157c4d6b3a883f391bdd1ba1ba7a3e271edffca
MD5 hash:
7825984034b569641be007e628b4ef39
SHA1 hash:
43748c8d3f85930eee5c081bf56c413ae8d60857
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
SH256 hash:
fc537ed5e7912f4edc5d3b3b41957a27194acbbb6293f37bbada5d8a050cf0f3
MD5 hash:
5e69504c88b5e6a4913ed5900c8e4bfd
SHA1 hash:
2a495b003352407329d4f1fb2630ff96e9811e5a
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
SH256 hash:
c3a7e259b75512b466a79b36228b673021053add1da45fdadf8e8dc3d112cf4c
MD5 hash:
57dea1e991edb06104ff5bcce686c8f2
SHA1 hash:
225f0a769cc5ecd1002750a335a038bf8001b5bb
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
SH256 hash:
6a0d28c367651440ee5d9713b788c399622c4acf3e5110c140f1c0b08154065f
MD5 hash:
0234dccf5cd282757777a303abbb3ea1
SHA1 hash:
6cbccad8f8527f95b735b2eeaab75da63adabcd5
Link:
https://www.unpac.me/results/d04c0994-7831-4865-b2cb-06b2d946b314/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6a0d28c36765/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a0d28c367651440ee5d9713b788c399622c4acf3e5110c140f1c0b08154065f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291757/

Comments