MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 786f44e9c80e4cecc4cb37a7b4ffbe9e82dbf501d00ac69826a537c88a3cecab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 786f44e9c80e4cecc4cb37a7b4ffbe9e82dbf501d00ac69826a537c88a3cecab
SHA3-384 hash: 75f18965bb3093ca48d94ac27c19bf3b89f782620d744d88a74e0d49b0f3fe6d593bb8e3530a823ae30595282ea6e2bb
SHA1 hash: ef662acfba9791078bd9ba4707c400930939f861
MD5 hash: 2a99eb669192792298593bfd007bd3a3
humanhash: tennis-white-cold-mississippi
File name:2a99eb669192792298593bfd007bd3a3.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:119'296 bytes
First seen:2021-06-23 20:21:12 UTC
Last seen:2021-06-23 20:34:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:MYVeXnWzxv7MIo6tmYEkx96Wr2XeTiYcIP:MYVemzdPIYTx96q7T3P
Threatray 2'984 similar samples on MalwareBazaar
TLSH 15C32B8374EC06DBE1EC1DB06C29F71C662A7F6225209D14BD89FB4A7A7590214F78BC
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
176.98.41.115:1938

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.98.41.115:1938 https://threatfox.abuse.ch/ioc/139726/

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2a99eb669192792298593bfd007bd3a3.exe
Verdict:
No threats detected
Analysis date:
2021-06-23 20:24:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/86a7194d-d292-4f81-9fbb-9d379fa61f6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.18941.12123.1235.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b73393a0-acd4-4f18-92f8-0cd1ec534139
Result
Threat name:
Nanocore AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806869
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Nanocore Rat
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: NanoCore
Sigma detected: Schedule system process
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439280 Sample: wriMUOqna3.exe Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 94 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->94 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 20 other signatures 2->100 8 wriMUOqna3.exe 18 27 2->8         started        12 Updater.exe 2->12         started        14 dhcpmon.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 dnsIp4 88 transfer.sh 144.76.136.153, 443, 49729 HETZNER-ASDE Germany 8->88 90 cdn.discordapp.com 162.159.134.233, 443, 49730 CLOUDFLARENETUS United States 8->90 72 C:\Program Files\Updater.exe, PE32 8->72 dropped 74 C:\Program Files\Timer.exe, PE32 8->74 dropped 76 C:\Users\user\AppData\...\wriMUOqna3.exe.log, ASCII 8->76 dropped 18 Timer.exe 7 8->18         started        22 Updater.exe 1 13 8->22         started        25 AcroRd32.exe 15 37 8->25         started        27 conhost.exe 8->27         started        78 C:\Users\user\AppData\...\Updater.exe.log, ASCII 12->78 dropped 80 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 14->80 dropped file5 process6 dnsIp7 62 C:\Users\user\AppData\Roaming\svchost.exe, PE32 18->62 dropped 64 C:\Users\user\AppData\...\tmpAF27.tmp.bat, DOS 18->64 dropped 102 Protects its processes via BreakOnTermination flag 18->102 29 cmd.exe 18->29         started        31 cmd.exe 18->31         started        84 213.238.172.95, 1923 SPD-NETTR Turkey 22->84 86 127.0.0.1 unknown unknown 22->86 66 C:\Program Files (x86)\...\dhcpmon.exe, PE32 22->66 dropped 68 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 22->68 dropped 70 C:\Users\user\AppData\Local\...\tmp8BFF.tmp, XML 22->70 dropped 104 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->104 33 schtasks.exe 22->33         started        35 schtasks.exe 22->35         started        37 RdrCEF.exe 25->37         started        40 AcroRd32.exe 25->40         started        file8 signatures9 process10 dnsIp11 42 svchost.exe 29->42         started        46 conhost.exe 29->46         started        48 timeout.exe 29->48         started        50 conhost.exe 31->50         started        52 schtasks.exe 31->52         started        54 conhost.exe 33->54         started        56 conhost.exe 35->56         started        82 192.168.2.1 unknown unknown 37->82 58 RdrCEF.exe 37->58         started        60 6 other processes 37->60 process12 dnsIp13 92 176.98.41.115, 1938, 49746 RADORETR Turkey 42->92 106 Antivirus detection for dropped file 42->106 108 System process connects to network (likely due to code injection or exploit) 42->108 110 Multi AV Scanner detection for dropped file 42->110 112 2 other signatures 42->112 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/786f44e9c80e4cecc4cb37a7b4ffbe9e82dbf501d00ac69826a537c88a3cecab/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 19:54:58 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbxuj2oibzgozrglg6t3j756t2bnx5ib2afmngbguu34rcr45svq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff
NanoCore
1299373ec40fc1f3f16957338574a9ad51a94e62220cc8c08f1ad81dee443544
NanoCore
16fc0cec13d88da3d0a36e4c42e733db8f1e21cafc18fd813a25cd0bc835f35a
NanoCore
1b7d7515f98891cf08164a7469bb9c9f3133e7834cfe99d55094594ca330e982
NanoCore
213528a5164fcb5253010129aac3855b4b905c9c5a9514a2a2b9db7e2b592a73
NanoCore
438e8f8d626ca18bb5fbd3499cad058033b199c865badba6415e362d5b8dcd49
NanoCore
4ed4aa642d67b79463edea71fa8781461cd6a63a4a01d20c497328801381a09a
NanoCore
8403c57936639ceb93873d1e3033ed114bfbd1b85c8c0dbbff237566f442b9ed
NanoCore
ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611
NanoCore
eaf087b8fe0cf69bed568070ae460d63483525842d4c84c7750ef87c4985e622
NanoCore
+ 2'974 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:nanocore evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210623-5bpxrb2dys/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Async RAT payload
AsyncRat
NanoCore
Malware Config
C2 Extraction:
213.238.172.95:1923
127.0.0.1:1923
176.98.41.115:1938
Unpacked files
SH256 hash:
786f44e9c80e4cecc4cb37a7b4ffbe9e82dbf501d00ac69826a537c88a3cecab
MD5 hash:
2a99eb669192792298593bfd007bd3a3
SHA1 hash:
ef662acfba9791078bd9ba4707c400930939f861
Link:
https://www.unpac.me/results/33de7aaf-05c7-41c7-9be5-1d411c81eb0c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/786f44e9c80e4cecc4cb37a7b4ffbe9e82dbf501d00ac69826a537c88a3cecab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments