MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA3-384 hash: 514e65852c8b67838903c4e7e496f446dae262a0cececf508a26bbe24835a0b49d111c7b98aecc3dd809df15947900ff
SHA1 hash: 5e24a49c70260a8cb42469dc41bb6b5f2557ec50
MD5 hash: 72729cee30402c13712d1522aef2974b
humanhash: orange-twelve-seventeen-stairway
File name:PO21019612.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:2'048'512 bytes
First seen:2023-03-14 08:00:31 UTC
Last seen:2023-03-14 09:30:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:FXQBFvAF1FMSNqZVIx9RcRK1HsWYnowZm:FeFIFCG9RcRK2Pntm
Threatray 1'406 similar samples on MalwareBazaar
TLSH T11495D042D8EBD8CCC4514C38C0E01ADD3A769FB2549ED7E856797534E8382C2B685FBA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon cfcf4a4c4c4cc3cf (4 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
37.0.14.195:2023

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
PO21019612.exe
Verdict:
Malicious activity
Analysis date:
2023-03-14 08:00:56 UTC
Tags:
nanocore
Link:
https://app.any.run/tasks/a4cb2b18-c48b-4d8c-bc77-e0f154c3bc55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374187/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/641029be8cf57265b25ac7ca/reports/9db6a5d8-f0d8-491a-945a-bf4a0dd0ff1a/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9b0bd85-e318-4f45-930c-471d8750a27c
Result
Threat name:
Nanocore, DarkComet
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193131
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected Nanocore Rat
Disables the Windows task manager (taskmgr)
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DarkComet
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 826028 Sample: PO21019612.exe Startdate: 14/03/2023 Architecture: WINDOWS Score: 100 107 mjosh6995.ddns.net 2->107 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus detection for URL or domain 2->119 121 Antivirus detection for dropped file 2->121 123 10 other signatures 2->123 10 PO21019612.exe 7 2->10         started        14 SZSALrLiZcPqvl.exe 4 2->14         started        16 msdcsc.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 95 C:\Users\user\AppData\...\SZSALrLiZcPqvl.exe, PE32 10->95 dropped 97 C:\...\SZSALrLiZcPqvl.exe:Zone.Identifier, ASCII 10->97 dropped 99 C:\Users\user\AppData\Local\...\tmp24B4.tmp, XML 10->99 dropped 101 C:\Users\user\AppData\...\PO21019612.exe.log, ASCII 10->101 dropped 147 Drops PE files to the document folder of the user 10->147 149 Uses schtasks.exe or at.exe to add and modify task schedules 10->149 151 Adds a directory exclusion to Windows Defender 10->151 20 PO21019612.exe 1 5 10->20         started        24 powershell.exe 21 10->24         started        26 powershell.exe 21 10->26         started        36 2 other processes 10->36 153 Multi AV Scanner detection for dropped file 14->153 155 Machine Learning detection for dropped file 14->155 157 Injects a PE file into a foreign processes 14->157 28 schtasks.exe 14->28         started        30 SZSALrLiZcPqvl.exe 14->30         started        32 schtasks.exe 16->32         started        34 msdcsc.exe 16->34         started        38 2 other processes 16->38 signatures6 process7 file8 89 C:\Users\user\Documents\MSDCSC\msdcsc.exe, PE32 20->89 dropped 91 C:\Users\user\AppData\...\MARCH STUB.EXE, PE32 20->91 dropped 93 C:\Users\user\...\msdcsc.exe:Zone.Identifier, ASCII 20->93 dropped 125 Creates an undocumented autostart registry key 20->125 127 Uses cmd line tools excessively to alter registry or file data 20->127 129 Writes to foreign memory regions 20->129 131 2 other signatures 20->131 40 msdcsc.exe 20->40         started        43 MARCH STUB.EXE 20->43         started        47 cmd.exe 20->47         started        59 2 other processes 20->59 49 conhost.exe 24->49         started        51 conhost.exe 26->51         started        53 conhost.exe 28->53         started        55 conhost.exe 32->55         started        57 conhost.exe 36->57         started        signatures9 process10 dnsIp11 133 Multi AV Scanner detection for dropped file 40->133 135 Machine Learning detection for dropped file 40->135 137 Adds a directory exclusion to Windows Defender 40->137 139 Injects a PE file into a foreign processes 40->139 61 msdcsc.exe 40->61         started        65 powershell.exe 40->65         started        67 powershell.exe 40->67         started        69 schtasks.exe 40->69         started        109 lisajennyjohn.ddns.net 37.0.14.195, 2023 WKD-ASIE Netherlands 43->109 111 mjosh6995.ddns.net 127.0.0.1 unknown unknown 43->111 103 C:\Program Files (x86)\...\dhcpmon.exe, PE32 43->103 dropped 105 C:\Users\user\AppData\Roaming\...\run.dat, data 43->105 dropped 141 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->141 143 Uses cmd line tools excessively to alter registry or file data 47->143 71 conhost.exe 47->71         started        73 attrib.exe 47->73         started        145 Deletes itself after installation 59->145 75 conhost.exe 59->75         started        77 attrib.exe 59->77         started        file12 signatures13 process14 dnsIp15 113 mjosh6995.ddns.net 61->113 115 192.168.2.1 unknown unknown 61->115 159 Changes security center settings (notifications, updates, antivirus, firewall) 61->159 161 Writes to foreign memory regions 61->161 163 Allocates memory in foreign processes 61->163 165 3 other signatures 61->165 79 MARCH STUB.EXE 61->79         started        81 notepad.exe 61->81         started        83 conhost.exe 65->83         started        85 conhost.exe 67->85         started        87 conhost.exe 69->87         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 05:10:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=odghdtrfbjhmomvftyyk34iaq6hjhwhxv7kksi3cqmkltmhc3qiq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1e6cf0bf090cbdb064a483cacc7bb094759083e8b5f199be562e30fed979398f
NanoCore
3f7658a27f67bee2e61e5232cc9219ad6d0b02725300bcc426ac527fc7099ab6
NanoCore
445bc3da96e63745748cc4d7d14faaa80122f46bc86e2a4628956f5aea4b70f7
NanoCore
45272694709263868523b77d0561757378cc2e8aa7d64c7ed21deaacbdf88b5b
NanoCore
4f7da7d6fb331a8098d4ce354690ffc64d8f0225307b406e722548109e669d4d
NanoCore
6822e60d84c96366253c77aa15337f23d4b4b31ae0b72e52b6a2a9b310af03ba
NanoCore
923527e188f407ba2bba6d1570506c474519970bc29fbee47d16d01636e7a338
NanoCore
b8d747db69fac284ccfeab921f8e06b6403763914b776ff518e6d3643ed9056d
NanoCore
+ 1'396 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet family:nanocore botnet:march 2023 evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230314-jwh9raec43/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Windows security modification
Disables Task Manager via registry modification
Sets file to hidden
Darkcomet
Modifies WinLogon for persistence
Modifies security service
NanoCore
Windows security bypass
Malware Config
C2 Extraction:
mjosh6995.ddns.net:1754
mjosh6995.ddns.net:2023
lisajennyjohn.ddns.net:2023
Unpacked files
SH256 hash:
f8a74b2d63b150afbaaed0c88b694e8b044ca74fa54da7ca93b541a7588f54e4
MD5 hash:
1e6ff996b653298c66180f5be663d4c1
SHA1 hash:
6b7788e34d502b267856316091e2715830a7cd0b
Detections:
win_nanocore_w0
Create hunting rule
win_darkcomet_auto
Create hunting rule
win_darkcomet_g0
Create hunting rule
win_darkcomet_a0
Create hunting rule
Link:
https://www.unpac.me/results/27c93095-6cc6-467a-814d-d706fbf34fd3/
SH256 hash:
411d1c937346f551be931b86add9f1a1964e8671596b4162fd9efd4f01365b45
MD5 hash:
a59af326b2a73f1342e0fae2e23308f4
SHA1 hash:
120a596a2389f4f49bc46013b509af413ce70738
Link:
https://www.unpac.me/results/27c93095-6cc6-467a-814d-d706fbf34fd3/
SH256 hash:
f77665b7c3ab1059284c9645df574d96a16f021c3ce944afca53a268f32956b1
MD5 hash:
b7486d8beabd8585a43c608c9b2d7a8d
SHA1 hash:
ac66ff02301aedc25842452400f694d0cc9f4fa3
Link:
https://www.unpac.me/results/27c93095-6cc6-467a-814d-d706fbf34fd3/
SH256 hash:
f895769f0c0014c630ef6da430b0be49e09b2b09961e867f2e9c9b3c9a3366ad
MD5 hash:
c68abe610968557e2c047d9e4423f507
SHA1 hash:
9b1ec7249cd0671a65c5c8be3abc70d693ec6f20
Link:
https://www.unpac.me/results/27c93095-6cc6-467a-814d-d706fbf34fd3/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/27c93095-6cc6-467a-814d-d706fbf34fd3/
SH256 hash:
bc88abf915245b6eca7c80c441e7527d6a61eb78091917e0b1bc844957512d4d
MD5 hash:
93f8ecd07909f71d55f6cdc163395503
SHA1 hash:
5e1d71119d8911d697120fdf07c5d7c52a335028
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/27c93095-6cc6-467a-814d-d706fbf34fd3/
SH256 hash:
70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
MD5 hash:
72729cee30402c13712d1522aef2974b
SHA1 hash:
5e24a49c70260a8cb42469dc41bb6b5f2557ec50
Link:
https://www.unpac.me/results/27c93095-6cc6-467a-814d-d706fbf34fd3/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70cc71ce250a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374187/

Comments