MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 700d568e38dcc4b87309a40613fe9f4dd898fd3308e977dd2ebebf0ca7bd8e62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 700d568e38dcc4b87309a40613fe9f4dd898fd3308e977dd2ebebf0ca7bd8e62
SHA3-384 hash: 276c202ed83f9aedc3dbb4d3a24dc18227e2c9e365464488f32ce5a0ab19125349d20253658aa168aee43a95b25df6c8
SHA1 hash: 474ad2141de1cb226f534851141003016944930f
MD5 hash: 1d47acd83118bc5125fe61dea575b4a2
humanhash: eleven-uniform-sierra-stream
File name:IMG-4579876545676545676543.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:445'168 bytes
First seen:2021-11-10 13:01:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:BGi+XV04XFfOcx0vm4O2G0L/DIIMEcJhdioWS27zXmn7bl51jvxw5yDme2N5k5n8:8I7y2G4UtioWSv7bJmE2N5k5nNHPG
Threatray 3'319 similar samples on MalwareBazaar
TLSH T10A94238E76E2D5F3EA814A3D06B35B394FBCD1881395442343186F3EACE54079E3E20A
File icon (PE):PE icon
dhash icon 64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
151.106.0.81:7043

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
151.106.0.81:7043 https://threatfox.abuse.ch/ioc/246416/

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
asyncrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204717/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.1021.3821.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/618bc2cddec3347825a135cc/reports/5d4ecc2a-9fcf-4198-bf31-6ec6009292ff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b1ea3bb-9b4d-4917-aa98-1a1dbab47405
Result
Threat name:
Nanocore AgentTesla AsyncRAT GhostRat Sp
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886710
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Detected Nanocore Rat
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected a310Logger
Yara detected AgentTesla
Yara detected AsyncRAT
Yara detected GhostRat
Yara detected Nanocore RAT
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 519179 Sample: IMG-4579876545676545676543.exe Startdate: 10/11/2021 Architecture: WINDOWS Score: 100 83 kel-j.duckdns.org 2->83 93 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus detection for dropped file 2->97 99 17 other signatures 2->99 11 IMG-4579876545676545676543.exe 17 2->11         started        15 FXQPJXZ.exe 2->15         started        17 dhcpmon.exe 2->17         started        19 FXQPJXZ.exe 2->19         started        signatures3 process4 file5 73 C:\Users\user\AppData\Local\Temp\...\frtb.dll, PE32 11->73 dropped 129 Injects a PE file into a foreign processes 11->129 21 IMG-4579876545676545676543.exe 6 11->21         started        131 Antivirus detection for dropped file 15->131 133 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->133 135 Machine Learning detection for dropped file 15->135 137 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->137 75 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 17->75 dropped signatures6 process7 file8 57 C:\Users\user\AppData\Local\Temp\kelnan.exe, PE32 21->57 dropped 59 C:\Users\user\AppData\...\ClientKELV.exe, PE32 21->59 dropped 61 C:\...\IMG-4579876545676545676543.exe.log, ASCII 21->61 dropped 24 ClientKELV.exe 14 9 21->24         started        29 kelnan.exe 1 14 21->29         started        process9 dnsIp10 89 192.168.2.1 unknown unknown 24->89 63 C:\Users\user\AppData\...\tmp911B.tmp.exe, PE32 24->63 dropped 65 C:\Users\user\AppData\...\tmp7A66.tmp.exe, PE32 24->65 dropped 67 C:\Users\user\AppData\...\tmp7A65.tmp.exe, PE32 24->67 dropped 121 Antivirus detection for dropped file 24->121 123 Machine Learning detection for dropped file 24->123 125 Tries to harvest and steal browser information (history, passwords, etc) 24->125 31 cmd.exe 24->31         started        33 cmd.exe 24->33         started        35 cmd.exe 24->35         started        91 kel-j.duckdns.org 151.106.0.81, 49768, 49769, 49770 VELIANET-ASvelianetInternetdiensteGmbHDE Germany 29->91 69 C:\Program Files (x86)\...\dhcpmon.exe, PE32 29->69 dropped 71 C:\Users\user\AppData\Roaming\...\run.dat, data 29->71 dropped 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->127 file11 signatures12 process13 process14 37 tmp911B.tmp.exe 31->37         started        41 conhost.exe 31->41         started        43 tmp7A65.tmp.exe 33->43         started        46 conhost.exe 33->46         started        48 tmp7A66.tmp.exe 35->48         started        50 conhost.exe 35->50         started        dnsIp15 85 us2.smtp.mailhostbox.com 208.91.199.224, 49828, 587 PUBLIC-DOMAIN-REGISTRYUS United States 37->85 87 Smtp.groupmirn.eu 37->87 107 Antivirus detection for dropped file 37->107 109 Machine Learning detection for dropped file 37->109 111 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 37->111 119 5 other signatures 37->119 52 AppLaunch.exe 37->52         started        55 AppLaunch.exe 37->55         started        77 C:\Users\user\AppData\Roaming\...\FXQPJXZ.exe, PE32 43->77 dropped 79 C:\Users\user\AppData\...\tmpG153.tmp (copy), PE32 43->79 dropped 113 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->115 117 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 43->117 81 C:\Users\user\AppData\...\tmpG3.tmp (copy), PE32 48->81 dropped file16 signatures17 process18 signatures19 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 52->101 103 Tries to steal Mail credentials (via file / registry access) 52->103 105 Tries to harvest and steal browser information (history, passwords, etc) 52->105
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/700d568e38dcc4b87309a40613fe9f4dd898fd3308e977dd2ebebf0ca7bd8e62/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 13:01:31 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oagvndry3tclq4yjuqdbh7u7jxmjr7jtbduxpxjox27qzj55rzra._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
07f511ce3b6a8fb409c1a05ea3e01a6d92422674224109c8d0889a017122098c
NanoCore
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
NanoCore
52b5f2f95b1200b20a6f3adfcb93c6f87713155f83176dede353ee158c7c1b63
NanoCore
7ceb354c4f419b3daed055ae62d5b1aaf58a7b715f8e9de08e5379e7e70ebeb6
NanoCore
e29e9d9beb5ce8187decf038cdc0b1d3102b4cfe43715a3b4f934098a943ebed
NanoCore
e9c3fc00ddb08ef196d05b56ce0c83c04381de42e8777e902e3e9c7afe4a9f11
NanoCore
f29b0b35d584de9410f3ffe75e8e4dbc6d90ecbc6f2c4d9382d8faf33e88d80b
NanoCore
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
NanoCore
+ 3'309 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:asyncrat family:blustealer family:nanocore family:snakekeylogger collection evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/211110-p9sm8shaf7/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
Async RAT payload
AgentTesla
AsyncRat
BluStealer
NanoCore
Snake Keylogger
Malware Config
C2 Extraction:
kel-j.duckdns.org:7043
https://api.telegram.org/bot1816395306:AAE3ZBLYV2L9aT9mL8itL9vr3RP6nOz_B1o/sendMessage?chat_id=1368673464
Unpacked files
SH256 hash:
700d568e38dcc4b87309a40613fe9f4dd898fd3308e977dd2ebebf0ca7bd8e62
MD5 hash:
1d47acd83118bc5125fe61dea575b4a2
SHA1 hash:
474ad2141de1cb226f534851141003016944930f
Link:
https://www.unpac.me/results/186a5f11-0d12-4b4b-b627-7f3e3516a065/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/700d568e38dc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/700d568e38dcc4b87309a40613fe9f4dd898fd3308e977dd2ebebf0ca7bd8e62

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204717/

Comments