MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a
SHA3-384 hash: 48e75594e1426035d36b781c62b39d6529c798796470345006c03be190fc85055b60474b72bd5696c2db99e8889169a2
SHA1 hash: 64d63a4e2a75bf883f041e3931ee31f569c91dfb
MD5 hash: 02bbe6f55e5545cdee8d65ca62fe0492
humanhash: five-comet-north-pip
File name:COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:864'768 bytes
First seen:2025-09-16 13:34:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:uKSMcmP1FEAjeBaDIF7glh1+CbJnNiTNWvScpoFKsGpfpr3JCjmn5LfoEDFqn/:9JEAwd7x+fprkjmnfm
Threatray 1'023 similar samples on MalwareBazaar
TLSH T142055BF537D87A04E0FFB372252692A0B3F3B68A85F1D60E16A7215675F09001B3676E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DHL exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
COMMERCAILINVOICEANDDHLAWBTRACKINGDETAILS.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 13:39:19 UTC
Tags:
httpdebugger tool nanocore auto-reg auto-sch-xml
Link:
https://app.any.run/tasks/470cdf03-0aab-4096-a152-5b3e7d0e8bd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27737/
Detection(s):
Win.Dropper.Nanocore-10021098-0
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c967cce579c633a4b5aaab
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-15T06:44:00Z UTC
Last seen:
2025-09-15T06:44:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Crypt.sb Trojan-PSW.Agensla.TCP.ServerRequest Trojan.Win32.NanoBot.sb Trojan.Agent.TCP.ServerRequest HEUR:Trojan-Spy.MSIL.Noon.gen VHO:Backdoor.Win32.Agent.gen Backdoor.NanoBot.TCP.C&C Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.c Trojan.MSIL.Inject.b
Link:
https://opentip.kaspersky.com/7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/133bde19-18ba-45da-abe2-908516c1ba1a
Result
Threat name:
Nanocore, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778533
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1778533 Sample: COMMERCAIL INVOICE AND DHL ... Startdate: 16/09/2025 Architecture: WINDOWS Score: 100 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 17 other signatures 2->59 8 COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe 3 2->8         started        12 dnshost.exe 2 2->12         started        14 COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe 2 2->14         started        16 dnshost.exe 2 2->16         started        process3 file4 49 COMMERCAIL INVOICE...ING DETAILS.exe.log, ASCII 8->49 dropped 65 Detected Nanocore Rat 8->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->67 69 Injects a PE file into a foreign processes 8->69 18 COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe 1 15 8->18         started        23 COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe 8->23         started        25 dnshost.exe 12->25         started        27 dnshost.exe 12->27         started        29 COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe 14->29         started        31 dnshost.exe 16->31         started        signatures5 process6 dnsIp7 51 2.56.246.175, 49692, 49693, 49694 GBTCLOUDUS Germany 18->51 41 C:\Program Files (x86)\DNS Host\dnshost.exe, PE32 18->41 dropped 43 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->43 dropped 45 C:\Users\user\AppData\Local\...\tmp8E6A.tmp, XML 18->45 dropped 47 C:\...\dnshost.exe:Zone.Identifier, ASCII 18->47 dropped 61 Detected Nanocore Rat 18->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->63 33 schtasks.exe 1 18->33         started        35 schtasks.exe 1 18->35         started        file8 signatures9 process10 process11 37 conhost.exe 33->37         started        39 conhost.exe 35->39         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a/
Verdict:
Malicious
Threat:
Family.NANOCORE
Link:
https://tip.neiki.dev/file/7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Suspicious
First seen:
2025-09-15 09:30:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ooc2ieutzauxlg3obzqpuhyolon4kmtqqyn3rj4vj657yu2tfana._file
Verdict:
malicious
Label(s):
unc_loader_065
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a
NanoCore
aa4adbda7daad239a268c41c7735506d3fa7e65eceed44c72f4970696b68dbef
NanoCore
ae0f097042a238c4047013e08ca82bff3ba379a3112848e00b6cd83dcea527a5
NanoCore
ee5c5ba42032ee6a64f4fe4e3bf490c96275a6e4f7f53299286357f5c0adbed9
NanoCore
error
NanoCore
ff9c7d024d2c1e379be44e420c9061d29b335a367492d6d7ce957a8a52628d3d
NanoCore
+ 1'013 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:darktortilla family:nanocore crypter defense_evasion discovery execution keylogger loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/250916-qwgjgsdj6v/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Darktortilla
Darktortilla family
Detects Darktortilla crypter.
NanoCore
Nanocore family
Malware Config
C2 Extraction:
2.56.246.175:9845
Verdict:
Malicious
Tags:
Win.Dropper.Nanocore-10021098-0
YARA:
n/a
Link:
https://app.threat.zone/submission/68fcff5c-a342-4f29-9574-c7ad99896e05
Unpacked files
SH256 hash:
7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a
MD5 hash:
02bbe6f55e5545cdee8d65ca62fe0492
SHA1 hash:
64d63a4e2a75bf883f041e3931ee31f569c91dfb
Link:
https://www.unpac.me/results/75d64065-70ef-4eb7-bf0b-fc9b2fbfa839/
SH256 hash:
003ddf8ddfc7afbc21df8ab9dd223df737b6ec66d1ff65ffc8d1f54a43ae7a2c
MD5 hash:
d344219cdf67ca2902224dfaa2e98224
SHA1 hash:
10a96c279c505812124da69fee75b18cceb9e64d
Link:
https://www.unpac.me/results/75d64065-70ef-4eb7-bf0b-fc9b2fbfa839/
SH256 hash:
8071de7a3056648bd2370bf20222622b7d3febb3c4e02bed93c8c20e442041ff
MD5 hash:
4f8e7041cea4ecfe4a58e31ef82344ed
SHA1 hash:
4b02e924d86a8c73160a28776bbe6c41513f0065
Detections:
win_nanocore_w0
Create hunting rule
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
Nanocore_RAT_Gen_2
Create hunting rule
Nanocore_RAT_Feb18_1
Create hunting rule
Nanocore
Create hunting rule
MALWARE_Win_NanoCore
Create hunting rule
Link:
https://www.unpac.me/results/75d64065-70ef-4eb7-bf0b-fc9b2fbfa839/
Parent samples :
541705f1e268cdaac90869bb557cd7b15c29cf6c01ca2ac6fd17f5e3953d394e
7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a
SH256 hash:
da4cb91d96214c7134a9e8799fdf241bd6b8103eecd4efb1b8c228ca3c8e7e91
MD5 hash:
9a06e083cd0531927dcd616b9b601ffa
SHA1 hash:
9584f7e1c8ab7be5900762abcaedf20cb92e4ae7
Link:
https://www.unpac.me/results/75d64065-70ef-4eb7-bf0b-fc9b2fbfa839/
SH256 hash:
2cb5b8fbcd0994c8371837858c1f6dfe8e0de017e86437c7aee38d710209f10a
MD5 hash:
4f5880d558000b383fbb6efb21100997
SHA1 hash:
d2ceb9140d797b0f4db46a0a02c274e4fe89f349
Link:
https://www.unpac.me/results/75d64065-70ef-4eb7-bf0b-fc9b2fbfa839/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7385a41293c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7385a41293c829759b6e0e60fa1f0e5b9bc53270861bb8a7954fbbfc5353281a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27737/

Comments