MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 704c8cbba29816992cf47c9d5ae71eb251814e4df4ee3e55ea77cd48644f3dbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 704c8cbba29816992cf47c9d5ae71eb251814e4df4ee3e55ea77cd48644f3dbe
SHA3-384 hash: 1054f1539ed2bf74baa3d41b875473a32f3e4a2c63e1ecfa5145f6bb415982faf19c5b0723145d3e0f8e159a4914f5b7
SHA1 hash: 1a60b77fe20960d09eaf63253d346f5d058d0966
MD5 hash: 74fad1c4df7a0bf97a2265952900b127
humanhash: sad-cola-ohio-pizza
File name:74fad1c4df7a0bf97a2265952900b127.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'273'344 bytes
First seen:2021-05-05 13:25:14 UTC
Last seen:2021-05-05 14:06:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:W2iRqSLC9p5RYRIIC+3QgHqhThN+yw0PRja1dqWPx:9oLCvkqG3QOOdux
Threatray 1'850 similar samples on MalwareBazaar
TLSH 1E450123BF584927C66D1DB488B503C0DFF1D115225AE30F2AA4547DEEC6BC62F06ADA
Reporter abuse_ch
Tags:exe NanoCore RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/150633/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/704c8cbba29816992cf47c9d5ae71eb251814e4df4ee3e55ea77cd48644f3dbe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 04:46:07 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=obgizo5ctaljslhupsovvzy6wjiyctsn6txd4vpko7guqzcphw7a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
093313195ab55c462e616e41f5b20e0f876d69e1941d34cd05302c82d8eb20e7
NanoCore
140902e2a23240a35b3e72be9c0878d18c2a7b4780feab213cbcc03156804c05
NanoCore
6163f1bf34c821d55a7e532009adc95ba921b28578a58336e5b01f6c09d4dad4
NanoCore
70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19
NanoCore
81b26504ee095df57c80e9ea296b04b722f54a3b5b4e28047134768f7972edfc
NanoCore
af7b5b39405065f105a0bf0f53578061adcd58a5861bb38827dd0f62df4f57ed
NanoCore
ca2e54b05185ed7f76ba5ccf9f24a2e607a6322fdbd1acbc37902e4dac015697
NanoCore
e102edf045b60201468f4f7910e3ed9d78bcfb0a1e0955bf14faa9ebb2deab8f
NanoCore
e847719a98762bcf7422064186c2cdbb2f58000622448c3adcb6769b7cfbea68
NanoCore
ec89b2b660ea42254a90f3b045dc98bfe6d1733878bd39a2a7030d68de169859
NanoCore
+ 1'840 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210505-m88hrcgy4x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
79.134.225.101:83
nassiru1166main.ddns.net:83
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/e275c860-c7df-489d-8419-9cd648a4d1de/
SH256 hash:
704c8cbba29816992cf47c9d5ae71eb251814e4df4ee3e55ea77cd48644f3dbe
MD5 hash:
74fad1c4df7a0bf97a2265952900b127
SHA1 hash:
1a60b77fe20960d09eaf63253d346f5d058d0966
Link:
https://www.unpac.me/results/e275c860-c7df-489d-8419-9cd648a4d1de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/704c8cbba29816992cf47c9d5ae71eb251814e4df4ee3e55ea77cd48644f3dbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 704c8cbba29816992cf47c9d5ae71eb251814e4df4ee3e55ea77cd48644f3dbe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1183463/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1187808/
  
URLhaus
https://urlhaus.abuse.ch/url/1183467/
  
URLhaus
https://urlhaus.abuse.ch/url/1187806/
Cape
Cape
https://www.capesandbox.com/analysis/150633/

Comments